So, I have two sites, sites A and B. I need to make B part of A. I did this by adding a module to A, and within that module, an iframe that contained a link to B. So, effectively speaking, B can still be accessed as a standalone site, but it can also be accessed through A. Now, both sites require a login to allow access. I need to bypass the login for site B when it is accessed through Site A. I managed to bypass it, but only if the two sites are hosted on the same server (I used session variables), but now I need to be able to bypass the login screen on B regardless of the server it is hosted on. So, how do I do this?
At first I thought cookies, but cookies are domain specific, the two sites might be hosted on separate domains.
Is there way a to use GET? So, Site A calls a url with the username written in the url, and then site B reads the url, parses it and logs in accordingly. I have no idea how I can implement this, what kind of url would I have to call, what kind of php code would Site B need, and lastly, how do you make something like this secure?
Thanks for all your help.
Send a UUID with a hash to site B. The hash should be something that only both servers will know and can decode so something like the following should work.
<?php
$salt = 'ashfiu8435t43434t fgfjgfgfuguSGDSBDY77;';
$uuid = ''; // this should be set to the users ID
$hash = sha1($salt . $uuid);
?>
<a href="http://siteb.com?hash=<?php echo ($hash); ?>&uuid=<?php echo $uuid; ?>">Site B</a>
<?php
$salt = 'ashfiu8435t43434t fgfjgfgfuguSGDSBDY77;';
$uuid = $_GET['uuid'];
$sent_hash = $_GET['hash'];
$local_hash = sha1($salt . $uuid);
if($sent_hash === $local_hash) {
echo 'Logged in! Yay!';
} else {
echo 'Authentication failed';
}
You should make the hash more difficult to fake or figure out and make it expire after a given time so that people can't just save hashes and re-use them or pass them about. I have deliberately kept it simple to show this would work.