On Thu, March 23, 2006 2:34 pm, afan@xxxxxxxx wrote: > have two domains and each domain has it's own admin registered areas. > Have > to allow people who registered to change domains and areas without > login > again? > On reg. areas, after login, create sess_id to check if visitor is > logged > in, but sess_ids on domains are different and can't compare them? You'll need to have SOME shared data between the two domains. Perhaps you could have a table in the database, for example, with username and current sess_id on each site. In your link to the "other" site, you'd embed their username and the sess_id on the "current" site, and pass it on to the other site. The HORRIBLE weakness here is that ANYBODY could intercept that sess_id and break into the "other" site. So, it's do-able, it's just not secure! The sess_id's are different because domains cannot share Cookies. SUB-domains can share cookies, however. So if the admin sections can both be put on foo.example.com and bar.example.com, the cookie can be set to example.com, and foo and bar can share it (I think). Here's the thing: Almost anything I can think of that you can do to make it easy for the user to login between admin applications, will make the admin applications inherently insecure. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
