NYCPHP Meetup

NYPHP.org

[nycphp-talk] Cross domain Logins

Brian Pang bpang at bpang.com
Thu Nov 20 09:47:22 EST 2003 

The way to do this is to use what is called a "pixel beacon" or "web
beacon."

http://www.webopedia.com/TERM/W/Web_beacon.html
(Of course, PHP won't let you make a GIF, but it's a reasonable
description).

Use PHP to create an image which is called from the "other domain."
When calling that image, pass along login information in the query
string (in some decryptable format).
As part of the image creation, you can set a cookie or session.

Basically, what you'll have is...

Site1.com makes a call to an image on Site2.com as
http://www.site2.com/beacon.php?action=login&username=foo
(ok, not encrypted or anything)

beacon.php generates an image and sets a cookie:
(Sample code, YMMV)


SetCookie("username",$_GET['username']);
Header ("Content-type: image/jpeg");
$im = ImageCreate (1, 1)
    or die ("Cannot Initialize new GD image stream");
$background_color = ImageColorAllocate ($im, 255, 255, 255);
$text_color = ImageColorAllocate ($im, 233, 14, 91);
ImageString ($im, 1, 5, 5,  $_GET['username'], $text_color);
ImageJPEG ($im);
ImageDestroy($im);


There, by visiting one domain, you've now set a cookie on the other domain.
The only catch is that it requires a little bit of cooperation between
the webmasters (if they won't put your image/beacon on their page, all
is lost).


This technique is regularly used in banner ads and Yahoo! even includes
it in their privacy statements.
http://privacy.yahoo.com/privacy/us/pixels/details.html


I haven't done it yet, but I've been tempted to put ALL of my session
and cookie functions into images, even when not going cross-domain.



> 
> Anyone here ever create a cross-domain login system?  I'm still
waiting for
> details to see if the domains will have access to the same db or same
> server.  I figure one way to do it would be to somehow transfer
session info
> form one domain to the other, but it seems like there's plenty of security
> issues in doing so.  I thought maybe passing an md5 encrypted string with
> the username, password form one site to the next might work as well,
but I'm
> still not too sure of the security issues, especially considering the
issues
> pointed out a couple weeks back regarding auto-logins.
>  
> Anyone have experience with this?
>  
> Thanks!
>  
> Mark
> 
>

More information about the talk mailing list