Using Loginsession Cross Domain With Opencart

Solid · April 18, 2013, 11:07am

Hi All.

I need to have a webshop with my site. And it just seems like a waste to write one myself. First of all, it will not be as great as a OpenCart. And secondly its gonna take hundreds of hours.

So i’ve got my Yii-app in domain.com, and I have a OpenCart installation in webshop.domain.com.

But I cant ask my users to register accounts both in the shop and in my community-site.

So if i write my yii-app to use the OC-user database, I need the possibility to auth on any of the sites, then seemlessly jump between them without the need for re-authentication.

Can anyone point me to a tutorial or any writings on this topic? And, is this a good idea? Any comments or suggestions?

Thank you.

Solid · April 20, 2013, 1:44pm

So, i’ve been trying to figure this out. This is the results i’ve got so far.

Now in the developmentphase both OC and Yii are on the same domain and server. (localhost)

After the launch, the sites will remain on the same server, but on different domains. Not subdomains.

When im working on the same domain, the two uses the same PHPSESSID, but they store information very diffrently.

This is my session-content after logging in on both applications, using the same user from the same db-table:


cd7e1979f40f0644e3fe05f5809fd61a__id|s:20:"my@email.com";

cd7e1979f40f0644e3fe05f5809fd61a__name|s:20:"my@email.com";

cd7e1979f40f0644e3fe05f5809fd61acustomer_id|s:1:"1";

cd7e1979f40f0644e3fe05f5809fd61a__states|a:1:{s:11:"customer_id";b:1;}

cd7e1979f40f0644e3fe05f5809fd61aYii.CWebUser.flashcounters|a:0:{}

language|s:2:"en";

currency|s:3:"USD";

cart|a:0:{}customer_id|s:1:"1";

shipping_country_id|s:3:"160";

shipping_zone_id|s:4:"2447";

shipping_postcode|s:4:"3014";

If anyone else is experimenting with the same, you have to rewrite your UserIdentity to something slimilar to this, where the pass is salted and SHA1-encryped several times:


public function authenticate()

	{

		$user = Customer::model()->findByAttributes(array('email'=>$this->username));

		if ($user===null) { // No user found!

			$this->errorCode=self::ERROR_USERNAME_INVALID;

		} else if ($user->password !== SHA1($user->salt.SHA1($user->salt.SHA1($this->password)))) { // Invalid password!

			$this->errorCode=self::ERROR_PASSWORD_INVALID;

		} else { // Okay!

			$this->errorCode=self::ERROR_NONE;

                        $this->setState('id', $user->id);

		}

	}

}

So the session does not work on both pages (well, the logout does, Score!) because yii stores the customer_id in "cd7e1979f40f0644e3fe05f5809fd61a__states" variable in the session.

And the only reason the apps are using the same session now, is the fact that they are on the same domain, so i have to find a workAround for that aswell.

Thats all i have so far. Im gonna keep posting here, both to get good tips from other users, and maybe someone else gets some use of it.

redguy · April 20, 2013, 4:15pm

information in session is not shared between applications because each Yii application generates unique ‘stateKeyPrefix’ - prefix for all entries related to user state (‘cd7e1979f40f0644e3fe05f5809fd61a’ in your example). To share this data you need to set same stateKeyPrefix in both applications, you can do this in main config adding:




'components'=>array(

  ...

  'user'=>array(

    'class'=>'CWebUser',

    'stateKeyPrefix'=>'my_own_prefix',

  ),

  ...

also - to share sessions you need to make them accessible for both applications (same storage directory on server or use DbSessions) and properly configure session cookies so they are sent by browser to both applications (URLs)

Solid · April 21, 2013, 1:45pm

Thanks RedGuy!

What i did was to set


'stateKeyPrefix'=>''

and


Yii::app()->session['customer_id'] = $user->customer_id;

And that worked like a charm. On localhost atleast.

Then i googled around, and understood that session crossdomain was a fairly complicated task.

The sulution i’ve come to is on each application i run a hidden iframe with a cookie script on the other server.

But to pass any variables over to the other server, i had to do i via $_GET as $_POST did not work.

so domain1.com iframes a domain2.com?u=$username&p=SHA1($password).

And even I understand that that must be bad practise!

Anyone have any more secure sulutions to that problem?

redguy · April 23, 2013, 11:06am

It IS insecure, as GET params are logged in webserver log files which are plain text. This makes login and password hash accessible to anyone with rights to read logfiles and they can use such information just pasting logged URL with params in browser window - identity hijacking.

you could try to use cookies (I am not sure about exact cross-domain cookie policy) - main page sets cookies for other domains and then when such domain is accessed browser should send cookie.

Solid · April 23, 2013, 3:07pm

Well, you cant issue cookies for another domain. But im working on a workaround with a one-time hash-key instead. I will come back with it when i make it.

Thank you, anyways. Appreciate the feedback.