Hi,
I have been working on an idea to allow 2 different domains that I have to run as one, and use on database for the both as well as only needing to login once, and allow the user info to work for both domains.

basically what I came up with, is the following. This is just for example purposes the real thing does validation on the password on the first page, then the second validates the value of GET-hash is correct, before setting it as a cookie.



domain1.com/login.php
<?
if(!isset($_COOKIE['user'])){
for($i=0;$i<='99';$i++){$hash .= rand(1, 9);}
setcookie("user", "$hash", time()+3600);
header('Location: http://domain2.com/login.php?hash='.$hash);
}else{
?>
<?=$_COOKIE['user'];?>
<? }
?>


domain2.com/login.php
<?
if(isset($_GET['hash'])){
setcookie("user", "$_GET[hash]", time()+3600);
header('Location: http://domain1.com/login.php');
}else{
?>
<?=$_COOKIE['user'];?>
<? }
?>


it basically uses a header redirect to redirect to the other domain with the value of the cookie set as part of the url then redirects back to the original site, now each domain name has its own cookie with the user info.

before actually putting this to use on the site, I would like some input as to if it would be secure to use this or not.

thanks.

I can't speak to the security, but it may cause problems for your users.

I have my forum (SMF) in a single frame frameset. When I moved to Steadfast, I moved the forum first, while leaving the domain and most of the site on the old host. Depending how people had their browser security set, many could not stay logged in, their browsers were rejecting the cookie because it was coming from a different site.

I think it is IE 6 that caused the problem, because I used to do this all the time. I started with a hosted forum, then went through several different programs before SMF, as well as several different hosts.

Have you considered delegating all cookies to a cookie domain?

Written in shorthand:

Site1.com, site2.com, site3.com
if(_post['user']) {
encrypted=// user+pass + enc key
// sets cookie
header('cookiedomain.com?safe='encrypted);
}
// check cookie
if(read('cookiedomain.com?check=true')==true) {
// celebrate
}



cookiedomain.com?safe=
if(safe) {
// same encryption key
// decrypt string.
setcookie(':)');
}

cookiedomain?check=true
if(_cookies[':)']) {
// check against db
> 'true'
} else {
> 'false'
}

Now, back to what I think we can both agree are your more serious queries. Cross-site scripting is the ability to inject JavaScript into a site and then to have the site send that scripting code on to the user. There are actually many risks involved in cross-site scripting attacks because the JavaScript code can do many different malicious things. For example, the code can completely rewrite the displayed HTML, which in your case means that someone else would be able to overwrite the reviews that the user submitted—probably not an ability you would like others to have. Another example is that the malicious code can steal the user’s cookies, and cookies are often used in Web applications to identify the user.