I've got a double domain setup so typing http://firstdomain.com it's the same than typing http://domaintwo.com

If a user log in once in Gossamer Community with http://firstdomain.com, he closes the the browser and then access again to community this time with http://domaintwo.com
will still be logged or not? Will this be ok?
Thanks
Max
The one with Mac OS X Server 10.4 :)

No, a cookie is valid only for a single domain. I would suggest putting a rewrite similiar to:


RewriteEngine On
RewriteCond %{HTTP_HOST} !^domain.com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) http://domain.com/$1 [L,R=permanent]

This means if a user goes to domain2.com, they automatically get redirected to domain.com. That ensures that everybody ends up on the same domain, and you don't have cookie issues to worry about.

Cheers,

Alex
--
Gossamer Threads Inc.

No I don't want a redirect... I could setup the DNS of the second domain to redirect to the first one but I don't want to.
Why this setup is not supported? It will be added?
Max
The one with Mac OS X Server 10.4 :)

It's simply how cookies work.

Cookies aren't valid for more than one domain as Alex pointed out.

Cookies have a -domain parameter that sets the valid domain for the cookie, hence it can only be valid for one domain.

You can set a cookie over different sub-domains though.

Yes but a script can create a cookie for each domain...
Max
The one with Mac OS X Server 10.4 :)

I haven't really looked extensively at the community plugin but I expect this would have been fairly easy to do had there been some plugin hooks as you could hook the authentication routines to set another cookie.

However as there aren't you'd probably have to go into the code manually but I wouldn't suggest that just yet.

Maybe Alex will have further details for you.

Well I don't know how to do that... My perl knowledge can't permit me to write a line..
However you said that that would be simple so why Alex team won't add it? I'm sure there are other people with the same situation...
Max
The one with Mac OS X Server 10.4 :)

The process of creating the plugin is simple, I can't comment on the actual implementation of the hooks but I'm sure it is harder than making the plugin ;)

Not really, a script can only set a cookie for the domain it is called on. To set a cookie on multiple domains requires the user to make a different request to a script for each domain.

For instance, I log in to foo.com and get a session cookie set on foo.com. Now how will an application running on bar.com know I am logged in? It can not access the cookie at all, so there is no way to authenticate the user via a session. You would have to ask the user to login again on bar.com.

Alternatively you could pass the session through the URL, but that has security considerations.

Cheers,

Alex
--
Gossamer Threads Inc.

I was saying another thing. A script could create a double cookie on the user. If a user accesses foo.com, the script creates a session cookie for foo.com and bar.com. So when it accesses to bar.com he will be logged... Simply no?
Max
The one with Mac OS X Server 10.4 :)

No. Browsers do not allow this. A cookie can only be set for the domain the request was for (as otherwise I could set a cookie that would be valid on microsoft.com or amazon.com).

Cheers,

Alex
--
Gossamer Threads Inc.

true... sorry

So there aren't other chances? I must redirect users?
Max
The one with Mac OS X Server 10.4 :)

what about calling a cookie-set-script via an IMG-tag at the login page?

Example for login_success.html at domain1.com:

<IMG SRC="http://DOMAIN2.com/cgi-bin/setcookie.pl" WIDTH="1" HEIGHT="1">

<IMG SRC="http://DOMAIN3.com/cgi-bin/setcookie.pl" WIDTH="1" HEIGHT="1">

<IMG SRC="http://DOMAIN4.com/cgi-bin/setcookie.pl" WIDTH="1" HEIGHT="1">

...

Oh, it's just an idea.....

Regards,
Manu

Shopping Portal Shop-Netz.de® | Partnerprogramme | Flugreisen & Billigflüge | KESTERMEDIA e.K. | European Affiliate Marketing Forum.

How does domain3.com know what cookie to set? What if the user clicks before an image loads? Also, img and frames on different domains will fall under different security zones in IE I believe.

You might be able to do something by bouncing the user to a second domain and then back again, but I'm not sure how safe it would be.

Cheers,

Alex
--
Gossamer Threads Inc.

@alex:

Hi,

I'm not very good in perl-programming but I know that my suggestion is working for lots of affiliate-programs to recognize the affiliate-id of the site from where a user comes from to track sales and leads.

The setcookie.pl has to be a cookie-setting script of community which stores the community-cookie. It should be possible to fetch the actual cookie-domain from it's calling-url (<IMG SRC="http://DOMAIN3.com/cgi-bin/setcookie.pl?user=<%username/userID%>&login=1">) [<=best way for different domains pointing to the same directory on a server] or per definition in every single setup.pl [I think this works only, if the domains have different cgi-bin's].

---

Edit:

Maybe something within the login-script of community will work to set the cookies without using an IMG-tag using LWP::-modules.

---

>What if the user clicks before an image loads?

O.K you don't have a 100% security, that all IMGs are loaded before a user does a click, but placing the IMG/setcookie.pl-calls somewhere at the top of the page and somewhere before the message "You are now successfully logged in will do the job, I think.

Regards,
Manu

Shopping Portal Shop-Netz.de® | Partnerprogramme | Flugreisen & Billigflüge | KESTERMEDIA e.K. | European Affiliate Marketing Forum.

You can't pass in the username of who to be logged in as, as then someone could easily create sessions as other users. You need to authenticate yourself somehow.


That's not about security, but rather not having some users logged in, and other users not logged in. It will lead to a lot of headaches for the admin when they start getting complaints about the system not recognizing who they are. Telling the user to wait longer isn't a good option. =)

I'll do some more looking into it, but all I'm saying is that it's not a trivial task.

Cheers,

Alex
--
Gossamer Threads Inc.

So what's the solution? Definitevely redirect users?
Max
The one with Mac OS X Server 10.4 :)

Alex,

The multiple domains thing is very important to me too, and is what I was really hoping for when community was released.

I had envisioned a user logs in to "community".

I had even envisioned that as running on it's own domain, as it's own entity.

Once the user logs in, "community" "knows" about the user, and keeps tabs on that user.

This may require the user to "re validate" themselves to the various sites, but it would only be typing in their community password, perhaps only once to set a cookie from that site with a key-string that identifies them as a unique community user. ?

This requires a secure communication between the plugin on the community-aware site, and the community-control site, similar to how you would validate a request to one of the payment gateways.

It shouldn't be unreasonable to have a site "register" itself with community (or vice versa) and have a keystring/id for each registered site.

1) a user logs into "community".

2) that user now attempts to access a community-aware site that he has been to before. He has a cookie that has his community ID string, and that is checked by the local _auth plugin via a back-end call, to see if the user is really logged in, and if so, get the necessary data. The users local cookie is updated, and he is now logged in to both community and the local site.

3) that user now attempts to access a community-aware site that he has not been to before.
a) he presses the login link, and is bounced to community to log in.
b) community does it's job, and returns the user to the site, via a script, which will set the users local cookie and log them in.
c) the user is now logged in to both community and the local site.



Only sites that community knows about, can request an authentication check.

Only registered sites can receive authentication data back from community.

Only the user with the correct Username/Password can trigger this exchange of data.

A user is registered with Community, but not with any registered site, until they specifically request it.

Community could register a user with any sites the user wishes upon registration, by doing the "dance" you mentioned above. It would be a one-time thing, where community sends the user to each site (invisibly) and each site sets a cookie in the users browser with their ID and key string, returning the user to the script which will send the user to the next site, then finally to the "Welcome, you've been registered and logged in" page.

Similarly, I would imagine, a user could have a "custom logon" which would go through the list of the users "favorite" sites, and log them in (with a new cookie) and get whatever "news and updates" that site wanted to send, and presents it to them on their default community page.

It requires a bit of hand-shaking between the plugin and the community-control site, but it's not something I would have imagined would be impossible in a controlled environment (ie: all GT programs, all working together from the same webmaster).


PUGDOG� Enterprises, Inc.

The best way to contact me is to NOT use Email.
Please leave a PM here.

Hi,

Multiple domain support will be available, but will be handled via 'Remote' applications. The process is:

1. User goes to application that needs authentication.
2. User is redirected to Community login page.
3. User authenticates on Community and gets a community cookie.
4. User is redirected back to application and passes session id via url.
5. Application makes HTTP request using Community API to validate the session id, if accepted it will create it's own internal session, and the user will continue on as normal (no further authentication required via community).

Cheers,

Alex
--
Gossamer Threads Inc.

Great!
However in the meantime I should use mod_rewrite because the Redirect permanent in Vhost conf gives errors.
Alex your code is correct? There is always domain.com but domain2.com?
Thanks
Max
The one with Mac OS X Server 10.4 :)

Does this mean that Community can be used with session id rather than cookies?

Is it a small fix to make it non-cookies?

No, community doesn't support url based sessions. For that to work, the individual applications would need to pass the community session id back and forth between community and the application.

Adrian