PHP Implementing Cross-Domain Cookies Tutorial

The cross-domain cookie is a strategy that lets your website store the data from one domain in cookies from another. With Cross-Domain Cookies, these problems are solved because cookies can be created and managed on the server side.

Cookies are a great invention, allowing web developer to maintain the login status of their users. However, problems occur when your site or network has more than one domain.

The cookie specification says that any cookie set for one domain, must not be sent to any other domain. Therefore, if you set a cookie in your user’s browser on one domain, that cookie will not be available on any other domain. This is a big problem if you want your users to log in on one of your sites and still be logged in on your other domains.

My solution will use the following general framework:

A prepend script will be used that will accept the sessionid via GET or COOKIE. It will preferentially choose a GET variable over a COOKIE. Therefore, whenever we need to link across domains, we send the sessionid as a URL parameter.

The Apache configuration will be modified to do rewrites on all cross-domain cookies. The reason for this will soon become clear.

Variables will be used whenever a cross-domain href appears.

Step 1: Setting Up A Prepend Script

Add the following code to a prepend script (or a function that appears at the top of all scripts).

Once this code has been run, a global variable ‘sessionid’ will be available to the script. It will contain the value of the sessionid from the users cookie, or the value sent along with a GET request.

Step 2: Using Variables For All Cross-Domain Hrefs

Create a global configuration file that contains the base hrefs of the domains you are switching between. For example, if we have domain1.com and domain2.com, set the following:

Now, if you do the following in your code…

<?php

echo “Click here to contact us.”;

?>
…you will produce the following output…
Click here to contact us.
…where the sessionid has been inserted into the URL.
At this point, you are probably thinking “this will try to open a subdirectory on the webserver called dash, sessionid, dash?!?!?”. However, the next step will provide the necessary magic to make it all work – mod_rewrite!

Step 3: Configuring Apache

Now, the remaining step is to configure apache to rewrite this URL:
http://www.domain2.com/-66543afe6543asdf6asd-/contact/
…to this:
http://www.domain2.com/contact/?sessionid=66543afe6543asdf6asd
…and this kind of url:
http://www.domain2.com/-66543afe6543asdf6asd-/contact/?email=yes
…to this:
http://www.domain2.com/contact/?email=yes&sessionid;=66543afe6543asdf6asd
To achieve this, simply configure your two virtual servers for domain1 and domain2 as follows:
DocumentRoot /usr/local/www/domain1 ServerName www.domain1.com RewriteEngine on RewriteRule ^/-(.)-(.\?.)$ $2&sessionid;=$1 [L,R,QSA] RewriteRule ^/-(.)-(.*)$ $2?sessionid=$1 [L,R,QSA]

DocumentRoot /usr/local/www/domain2 ServerName www.domain2.com RewriteEngine on RewriteRule ^/-(.)-(.\?.)$ $2&sessionid;=$1 [L,R,QSA] RewriteRule ^/-(.)-(.*)$ $2?sessionid=$1 [L,R,QSA]
Those rewriting rules implement the above two URL rewriting requirements.

Conclusion

By using the combination of variables and apache rewriting, cross-domain cookies can be implemented in a simple fashion. In order to maintain the system, your coders need to do nothing more than use the domain variables whenever they link across domains. Links within domains do not need to be modified, as the cookie will work properly.

If you are interested in seeing this system in action on a production network, please visit http://www.familyhealth.com.au/. Run your mouse over some of the inter-domain links and see how they are rewritten when you click on them.

Perhaps, the only problem with this technique is that it is impossible to delete the cookie in the users browser for all the domains.