具有多个域和子域的PHP认证 [英] PHP authentication with multiple domains and subdomains

问题描述

我有一个主域名： main.com ，子域： test1.main.com ， test2.main.com 和其他领域 one.com ， two.com 。

I have one main domain: main.com, subdomains: test1.main.com, test2.main.com and other domains one.com, two.com.

现在，它的完成这样的：

Now it's done like these:

ini_set("session.cookie_domain", ".main.com");

$domain = 'main.com';

的login.php

login.php

$user = $db->query("SELECT id, login FROM users WHERE email=? AND password=?", 
array($email, $password), "rowassoc");

if($user)
{
  $_SESSION['user_id'] = $user['id'];
  $_SESSION['user_name'] = $user['login'];

  $time = 100000; 

  setcookie('email', $email, time() + $time, "/", "." . $domain);
  setcookie('password', $password, time() + $time, "/", "." . $domain);

  header('Location: http://' . $user['login'] . "." . $domain);
  exit;
}

添加的每个页面上：

added on each page:

if(!isset($_SESSION['user_id']))
{
  if(isset($_COOKIE['email']) && isset($_COOKIE['password']))
  {
    $email = $_COOKIE['email'];
    $password = $_COOKIE['password'];

    $user = $db->query("SELECT id, login FROM users WHERE email=? AND password=?",
    array($email, $password), "rowassoc");

    if($user)
    {
      $_SESSION['user_id'] = $user['id'];
      $_SESSION['user_name'] = $user['login'];
    }
  }
}
else
{
  $user = $db->query("SELECT id, login FROM users WHERE id=?", 
  array($_SESSION['user_id']), "rowassoc");


  if(!$user)
  {
    setcookie('email', '', time() , "/", "." . $domain);
    setcookie('password', '', time() , "/", "." . $domain);
    unset($_SESSION['user_id']);

    session_destroy();
    setcookie("PHPSESSID","",time(), "/", "." . $domain);
  }
  else
  {
    $_SESSION['user_id'] = $user['id'];
    $_SESSION['user_name'] = $user['login'];
  }
}

logout.php

logout.php

if(isset($_SESSION['user_id']))
{
  setcookie('email', '', time() , "/", "." . $domain);
  setcookie('password', '', time() , "/", "." . $domain);
  unset($_SESSION['user_id']);
  unset($_SESSION['user_name']);

  session_destroy();
  setcookie("PHPSESSID","",time(), "/", "." . $domain);

  header('Location: /main');
  exit;
}

但它仅适用于域 main.com 及其子 test1.main.com ， test2.main.com 。

我需要以某种方式保存会话和其他领域 one.com ， two.com 。

I need to somehow save the session and on other domains one.com, two.com.

如何最好做安全认证，是否有解决方案，我真糊涂，请告诉用的例子。

How best to do safe authentication, if there are solutions, i really confused, please tell with example.

推荐答案

据我所知，穿越子域之间的会话是好的，但它不会结转到一个全新的领域。要做到这一点，你需要某种形式的集中数据的方法，或API。

As far as I know, crossing sessions between sub-domains is fine, but it won't carry over to a whole new domain. To do that you need some sort of centralized data method, or an API.

数据库的方法：你必须创建一个远程MySQL的数据访问，以便domain2.com可以在domain1.com访问数据库。当进行登录，不仅要为其创建一个新的会话，而是一种独特的登录令牌（与到期时间）应放入MySQL数据库。现在，对于每次从domain1.com去domain2.com链接，你应该添加包含随机生成的会话ID（MD5哈希值会做）一个$ _GET变量。 domain2.com，在收到游客，将采取$ _GET变量，运行它通过MySQL数据库，找到登录令牌，如果有匹配，考虑到会记录用户（也许嵌入$ _COOKIE作为好来存储的登录数据）。这将使登录转让两种完全不同的域之间。

Database method: you will have to create a remote MySQL data access so that domain2.com can access the database on domain1.com. When a log-in is performed, not only should it create a new session, but a unique log-in token (with an expiry time) should be put into the mysql database. Now, for every link that goes from domain1.com to domain2.com, you should add a $_GET variable that contains a randomly generated session id (md5 hash will do). domain2.com, upon receiving the visitor, will take the $_GET variable, run it through the MySQL database to find the login token, and if there is a match, consider that user to be logged on (and perhaps embed a $_COOKIE as well to store the login data). This will make the log-in transferrable between two completely different domains.

API方法：你需要创建一个API方法，使domain1.com可以从授权域的外部请求做出响应时，用户被转发到检索到登录令牌。这种方法也需要来自domain1.com去各个环节domain2.com到了$ _GET变量被追加到通过唯一的会话哈希值。然后在收到游客，domain2.com会做一个卷曲（）请求domain1.com/userapi.php~~V（或任何你调用文件）和变量应该反对什么是在数据库中进行测试。

API method: you need to create an API method, so that domain1.com can respond to an external request from authorized domains to retrieve the login token upon a user being forwarded. This method will also require that all links going from domain1.com to domain2.com to be appended with a $_GET variable to pass the unique session hash. Then upon receiving the visitor, domain2.com will do a curl() request to domain1.com/userapi.php (or whatever you call the file) and the variables should be tested against what's in the database.

这是我可以解释它。在code写这出最好是显著的作品，所以我不能犯。但是，你的code来看，您对PHP有一个很好的理解，所以我相信你会拉这一关！

This is the best I can explain it.. to write this out in code is a significant piece of work so I cannot commit. But judging by your code, you have a very good understanding of PHP so I'm confident you will pull this off!

祝你好运队友。

这篇关于具有多个域和子域的PHP认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！