-1

I have question about log-in from different Website.

Is it possible that a user can login from Website A to Website B by passing parameter (username and password) trough URL?

For example, I have login Form (contain username and password field) in Website A, than when user click submit, parameter will pass trough URL, and redirect to Website B (already login)

I have seen an article that allow it, something like

http://mydomain.com/login.php?username=iqbal&password=12345

but i don't know how to use it. Is it safe to use?

Gumbo
  • 643,351
  • 109
  • 780
  • 844
iqbalplague
  • 37
  • 7
  • is website a or b a sub-domain of the other? if not then you could create a API on the other website to set the cookie/permissions. if you use the post using your get variables with sensitive information your playing with fire. – Liam Sorsby Oct 29 '13 at 11:40
  • I wouldn't send a username and password trough url. Use [cookies](http://stackoverflow.com/questions/315132/how-do-i-use-cookies-across-two-different-domains) for that – Forza Oct 29 '13 at 11:41
  • website A is a folder : http://mydomain.com/website, and website B is subdomain : http://crm.mydomain.com – iqbalplague Oct 29 '13 at 11:42
  • In short, yes. However, does Website B support this? What have you tried? Your question needs to provide more details and be more specific. – Marcus Adams Oct 29 '13 at 16:25

2 Answers2

0

Passing a password through a URL in plain text is NOT safe to use. Another method such as generating a random, one-use key should be used if anything

Jonathon
  • 15,873
  • 11
  • 73
  • 92
  • You should probably write some kind of communication API so that your two websites can communicate with one another regarding logins. Website A would talk to Website B and ask for a unique login key to be generated for User X. Website B would update it's user table to reflect the generated login key and it would be returned to Website A (This is all done in the background). Website A would then have the ability to generate a "login url" using this key and the user ID, so that when it's clicked Website B would be able to check the ID and key against its user table and log the user into the site – Jonathon Oct 29 '13 at 11:59
  • I'd recommend a bit more security too, you could add an expiry time to the login key so that it's only valid for X seconds or minutes and you possibly add stuff in to check if the referral URL is what is expected etc. There's loads of things you could add for extra security – Jonathon Oct 29 '13 at 12:00
  • okay i will. I still looking for answer based on your suggestion. :) – iqbalplague Oct 31 '13 at 04:01
0

as per: Allow php sessions to carry over to subdomains

Here are 3 options.

Place this in your php.ini:

session.cookie_domain = ".example.com"

In your .htaccess:

php_value session.cookie_domain .example.com

As the first thing in your script:

ini_set('session.cookie_domain', '.example.com' );
Community
  • 1
  • 1
Liam Sorsby
  • 2,912
  • 3
  • 28
  • 51