PHP login in one domain then using the session in another one -
so have variable must send website. how can send in way user can't change it? account id, login session, since user logs in through steam, doesn't need enter password(at least on site). need pass account id domain securely. securely mean, don't care if sees long can't change no matter what. there way of doing this? reason can't let them log in directly in first website because steam has flagged it, did lot of sites has ref codes. user kinda not able log in cause in warning "continue anyways" button tiny many users don't see it. made big sites did, bought domain , redirected login it. other site not blacklisted login can go normally.
i using curl authenticate , response authenticating domain use on origin domain.
origin.com/authenticate-user.php
$ch = curl_init('http://authenticator.com/authenticate-user.php'); curl_setopt($ch, curlopt_post, true); curl_setopt($ch, curlopt_postfields, http_build_query(array('steam_id' => $_session['steam_id']))); curl_setopt($ch, curlopt_returntransfer, true); curl_setopt($ch, curlopt_header, false); curl_setopt($ch, curlopt_followlocation, true); $response = curl_exec($ch); curl_close ($ch); $_session['user_valid'] = $response;
authenticator.com/authenticate-user.php
//optional conditions test origin or requesting source prevent cross-site attacks. if (isset($_post['steam_id']){ //..validate user here echo 1; } else { echo 0; }
this make request sent server instead of client, , unchangeable user. require manage session 1 domain instead of two, since authenticator process information sent it. not sure why session need set on authenticating domain though, if can give scenario needed. can change response like, serving entire webpage if desired.
another option use cookies opposed sessions. cookies can shared cross-domain allowing within api processor via cors , xmlhttprequest (ajax). being sent via xmlhttprequest can stopped , manipulated user.
Comments
Post a Comment