Cross domains sessions - shared shopping cart cross domains

Question

we are solving the problem with eshop (php, mysql). The client want to have the same eshop on two domains with shared shopping cart. In the shop customer can do the shopping without users account (can't be logged in). And there is the problem, how to make the shared shopping cart cross domain.

The data from cart is stored in sessions, which we stored in database too. But we can't solve the problem in carrying data over domains. Identifying unlogged user is not holeproof (research).

The example, how it should work

Customer goes to domainOne and add some things to the cart. Than he goes to domainTwo (by link, typing domain address, however) and add some other things to the cart. In the cart he has things from both domains (after refreshing page).

Do you have any idea, how to solve this problem?

What didn't work:

• redirecting is not possible due to customer requirments
• cookies are related to domain
• set_cookie with the other domain didn't work
• the simpliest way is to carry over only the sessionid (stored in cookies) but we don't know, how to wholeproof identify unlogged users.
• is there any other place, where data can be stored on client side except cookies? (probably not)
• we can't use sending sessionid by params in url (if user click to link to the other domain) or resolving the header referer, bcs we don't know, how user can achieve the other domain.

If you can't understand me, take me a question. If you think, that having eshop on two domains with shared (common) cart is bad idea, don't tell me, we know it.

Thanks for each answer.

Answer 1

You can use a third domain to identify your customers over all domains.

Use for example a PHP File on http://thirdDomain.com/session.php that is included on all pages on both shops.

Sample:

<script type="text/javascript" src="http://thirdDomain.com/session.php"></script>

After your customer switches domains, you can identify him as the same customer using the third domain.

You can assign the session id on both shops to the session id on the third domain to access the cart on both shops. You only need to inform the third domain about your shop sessions (i.e. add them as parameter).

Depending on how flexible you are with your code and templates, you can even use an output from the third domain to define the session id in your shops. This way you can use the same session id on all domains. But normally a session id assignment should be the more secure way.

Using the javascript version you can also output scripts that may add a session id to all outgoing links and forms to the other domain in the current html page. This might be interesting if you can identify your customer as having cookies blocked. You can also use the javascript to inform the parent document about an existing session.

Answer 2

This keeps getting asked.

Have a search for SSO.

You need to pass the session id in the URL (or vai a POST) across the domains, then:

1) check the session does not already exist on the target domain

2) rebind the session using the session id sent

e.g.

if ((!$_COOKIE[session_name()]) && $_GET['passed_id']) {
    if (check_session_exists($_GET['passed_id'])) { 
        session_id($_GET['passed_id']);
    }
}
session_start();
...
function check_session_exists($id)
{
   $path=session_save_path() . $id;
   if (file_exists($path) && (time()-filemtime($path)<session_cache_expire())) {
      return true;
   }
   return false;
}

This also means you need to add '?passed_id=' . urlencode(session_id()) to any URL pointing to the other domain.

C.