Joomla persistent user sessions across fake subdomains and primary domain - authentication

Can someone please help me to find a solution to maintaining the session across subdomains.
The site uses fake subdomains for users, eg. (thisuser.mysite.com/). All the fake subdomains map to the main site (mysite.com) so there's a common database for everything.
The subdomains are used only for a couple of components(com_xxx) on the site. for other components the user is redirected to the main site via htaaccess.
The problem is when a user is redirected to mysite.com from thisuser.mysite.com and vice versa. Their session is not maintained. The user has to login back again.
I have tried updating the cookie domain in php.ini to '.mysite.com' but it doesnt seem to help.
Is it possible that the site may have auto-logins across all subdomains and main domain without any core hacks, assuming the solution lies in making cookies readable from all subdomains, irrespective of from where it's being set?
Thanks all, for your time and suggestions !

I'm not sure how you could do this....
Here is just an idea, it would rely on javascript...
WHen a user logs in using your login form... a hidden iframe would exist and javascript would post your login data to the login page of each domaine for your site. chaining them...
i dont feel its a safe thing tho... maybe im wrong...
u could use joomla's mootool framework to send an ajax requests to each domain...
Otherwise might want to check how joomla creates a session row in the database for each user on the site. maybe you can just create them for each domaine with 1 login. im gona check my mysql....
are you using joomla 1.5 or 2.5 ?
Otherwise i found this document for you:
http://docs.joomla.org/Multiple_Domains_and_Web_Sites_in_a_single_Joomla!_installation

okay, this was easy, I was testing on the local machine and it seems if domain doesnt have the dot, then the cookies are not handled well.
Just ensuring taht cookie domain is set to '.mysite.com' gets the job done

1. It is also recommended that you use the same joomla "secret" configuration value in the different websites as it is used to check the data exchanged between the different domains.
2. taht cookie domain is set to '.mysite.com' gets the job done

Related

Is there any way to create authentication to multiple websites without any login page?

I'm trying to find a solution to my problem, and I hope I can manage to explain it properly.
I have a VPS (Debian 11 - Apache2) with root access. I added (so far) the following domain and subdomains to my VPS:
mydomain.com
play.mydomain.com
read.mydomain.com
watch.mydomain.com
study.mydomain.com
And I will probably need to create more subdomains soon, but I need to solve this problem first.
We are just 15 people in my Team who need to access to this domains/webpages. As you surely know, subdomains are independent domains on a web server. How could I give access to these subdomains ONLY to my work team? I can't create login access because each subdomain is an independent (and always different) CMS, it would take very long to customise each one, same for every time I add a new subdomain. Is there any way to give access to specific people without any login screen? I don't know for example with a token, or configuring the web server, or having a common login page? I have no idea what could be the best solution since the authorization must be managed outside the websites themselves, so any suggestion would be very much appreciated.
Thank you very much for your help,
Elliot
Please don't hesitate to suggest any possible solution! Thank you!

removing cookies on another domain using mod-rewrite and apache

I have built a cookie consent module that is used on many sites, all using the same server architecture, on the same cluster. For the visitors of these sites it is possible to administer their cookie settings (eg. no advertising cookies, but allow analytics cookes) on a central domain that keeps track of the user preferences (and sites that are visited).
When they change their settings, all sites that the visitor has been to that are using my module (kept in cookie) are contacted by loading it with a parameter in hidden iframes. I tried the same with images.
On these sites a rewrite rule is in place that detects that parameter and then retracts the cookie (set the date in the past) and redirects to a page on the module site (or an image on the module site).
This scheme is working in all browsers, except IE, as it needs a P3P (Probably the reason why it is not working for images is similar).
I also tried loading a non-existent image on the source domain (that is, the domain that is using the module) through an image tag, obviously resulting in a 404. This works on all browsers, except Safari, which doesn't set cookies on 404's (at least, that is my conclusion).
My question is, how would it be possible to retract the cookie consent cookie on the connected domains, given that all I can change are the rewrite rules?
I hope that I have explained the problem well enough for you guys to give an answer, and that a solution is possible...
I am still not able to resolve this question, but when looked at it the other way around there is a solution. Using JSONP (for an example, see: Basic example of using .ajax() with JSONP?), the client domain can load information from the master server and compare that to local information.
Based on that, the client site can retract the cookie (or even replace it) and force a reload which will trigger the rewrite rules...
A drawback of this solution is that it will hit the server for every pageview, and in my case, that's a real problem. Only testing that every x minutes or so (by setting a temporary cookie) would provide a solution.
Another, even more simple solution would be to expire all the cookies on the client site every x hour. This will force a revisit of the main domain as well.

Redirect all traffic to holding page unless logged in using .htaccess

I currently have a landing page setup on my domain.com which already receives traffic.
It will shortly be replaced with an online store. I need to upload this store to my live server in order to get it approved by the Merchant Facility Providers (MFP), and they require it to be accessible from it's final live location on domain.com in order to get approvals. I can't have users access this site until it has met approvals.
To accomplish this I wish to redirect all domain.com traffic to domain.com/holding/ except for MFP visitors.
Ideally this would be restricted by IP address, however MFP say they will need to grant a number of external parties access, and so IP address based access will not be acceptable and I should use passwords.
So my question is, how can I automatically redirect all traffic from domain.com to the holding page domain.com/holding/ unless they have logged in using a password at domain.com/login?
Users visiting the domain.com should not be asked for a password.
Will this be possible using just .htaccess/.htpasswd?
If so, can someone suggest how the logic of how it could work?
It's not possible using just an .htaccess file as all visitors would be presented with an HTTP standard authentication dialog if you enabled it on your domain.com site at the doc_root level.
Without knowing what scripting language you're using? (you've not indicated in the tags, just apache), but you could provide one index page that both acts as a landing page for users/potential-users as well as provide a login (username/password form) for MFP parties (wherever they may come from).
That way, you fulfil both needs without offending or discriminating in any way against any party.
As #nickhar has pointed out, there appears to be no way of doing this using just .htaccess.
My solution was to use a rewrite rule to redirect all requests from domain.com to domain.com/holding unless a specific cookie was set (checked for using RewriteCond %{HTTP_COOKIE}).
I set this cookie in a php script on domain.com/login, which was password protected using .htaccess/.htpasswd.
This is by no means a particularly secure solution, but is adequate for my purposes of keeping the site hidden from general traffic while the approval process is completed.

Cross domain authentication - Passing User Info

this is my first post,
I'm working on a project that required me to buy another domain. But i want it to use the same authentication system as my current domain and and also login the user into both sites.
I already found a great post whate it explains what needs to happen here: See the first comment
But I want to make it possible for the user to login on domain1.com (by entering credentials) and i want the credentials to be taken from domain1.com to maindomain.com and authenticate it.
Now, i know its not safe to send the users info unprotected, but i am not sure exactly how to do it any other way.
Do you have any suggestions to how i may send the login info or authenticate the users.
NOTE:
Both sites are on the Same server and one is in a subdirectory of the other (in the file tree) but they have two separate domains so i cant just tell it to POST the info to /login, instead i would have to send it to which would not work with POST.
Any and all help is appreciated!
Thanks in advance!
When the user logs in on server1, you could include something like this in the HTML:
<img src="http://server2/login/?hash=...">
(put a 1*1 transparent gif there or so)
The server should reply with a header that sets the session id.
If you are using cookie based sessions, the easiest way is to set additional copy of session cookie using iframe after successful login.

How Does Google Global Login Work?

Whenever I login to one Google service, I am automatically logged in all their other websites on different domains.
What I want to know is how they are able to access the disparate cookies and sessions that belong on another domain.
I tried searching online but I couldn't find any information. I could probably pull out firebug and try to find out but I am sure someone here knows.
A Google Login works like this:
1) You login, normally at a login page that is under the Google.com/accounts domain.
1a) If you aren't on the Google.com/accounts domain, it is going to forward you there after you post the form. This can be found on sites like Blogger.
Once you arrive at the Google.com/accounts domain, they do two things
2) They set a cookie(s) that is specific to the Google.com/accounts domain, that are also only able to be sent over a secure connection. This is to verify your identity later on.
I say multiple because there are several cookies bound to the google.com/accounts domain. I believe that one of these is to make sure that all doesn't fail if secure connections aren't allowed
3) They set a cookie that spans all the domains using .google.com as their domain, because this will make the cookie available to any domain.
4) They forward you back.
5) If it is a site on a different domain, like blogger, they send along an authorization key in the URL. The page sees it, verfies it, and sets the cookie for a different domain. A technique like this can be seen using Google's Oauth.
Here is where that Secure Cookie comes in.
If you notice, whenever you go to a site after you close your browser, they forward you to the google.com/accounts path, where they reverify you under a secure connection, and then reset the subdomain-wide cookie. Then they send you back.
Furthermore, some sites like Google Adsense use the same technique as Google.com/accounts uses, by making a secure cookie on a specific path, and then using more global cookies to allow greater access.
Some of this is guessing, but given what a non-insider can see, I believe that is close to the truth.
Note: I literally spent like an entire month just browsing from Google Site to Google Site seeing how they did stuff. By upvoting this post, you are decreasing the sadness I have for having no life