On Tue, Sep 1, 2009 at 2:22 AM, Behzad <behzad.eslami@xxxxxxxxx> wrote: > Dear list, > > i'm trying to integrate two php-driven web applications, which both > require the user to authenticate using a username and a password. > > Consider a situation where the user has logged-in to the 1st application. > She > clicks over a hyper-link, which directs her to the 2nd application. The > challenge > is to automatically authenticate the user on the 2nd application as well. > > i'm wondering how? > Is it secure to store the username and password in the $_SESSION, and > share the session between the two applications? > > Please let me know what do you think. > > Thank you in advance, > -behzad > The best approach to shared sessions are, commonly, database driven, but this can vary depending on your site/network topology. If the two sites are in the same server (and the server is unique) you can share sessions, but this is risky, so you have to develop with this issue in mind, let's say avoid things like this. <?php $_SESSION[ 'something' ] = $somewhat; # you can be, probably, breaking the other app ?> If you have more than just one web server, or you are planning to scale it later, then the database driven fits better. You need to share a cookie between both sites, often the "session_id", and store the user-session info in a table. If the user logs-in -no matter in which site- an entry on the user-session table is set with the cookie and the user id. When the user logs-out this entry is removed, and the user is not able to navigate to private areas in both sites. Avoid doing things like a form-post from SiteA to SiteB. This kind of things only make holes to your application security system. User credentials MUST not be handled at client-side. Keep them safetily at server-side where you are who decide which action should be taken. -- Martin Scotta
