Share Session Between Two Websites

Question

Hi thanks in advance...
I am Working on a Project, I need some clarification to share data between two sites in a high secure manner. Currently I am using Form Post to share data. But I think about if there is an option to get site-1 session-data from site-2, because I think using a session is more secure. I don't know how to use a sessions between two sites, but I hope someone here will know.

Like this:
Site 1 Coding

$_SESSION['customer_id'] = 'XYZ';  
$_SESSION['total_amount'] = '100';  

<a href=https://site2.com/do.php?session_id=<?=$_SESSION['session_id']?>>Click Here</a>  

Site 2 Code in do.php

$session_id = $_REQUEST['session_id'];  
$shared_data = bla_bla_bla_function($session_id);  

$customer_id = $shared_data['customer_id'];  
$total_amount = $shared_data['total_amount'];  

or is there any way to do the secure data sharing between two website other than form post, please tell me.
Thank you
Yours,
Kaartikeyan R

Found Solution

I have send the Customer ID and Amount via CURL to the Second Website, in that create a Record in Table for this and generate Encrypted ID with the Record ID, and return the encrypted ID.

So in the First website i get the Encrypted ID, and use it on URL redirection to Second website.

On the Second Website with the Encrypted ID i get the Customer ID and Amount.

Answer 1

Urk. First off, never, EVER do this:

$session_id = $_REQUEST['session_id'];  

This causes a security truck-hole we refer to as 'session fixation' ( read more: http://en.wikipedia.org/wiki/Session_fixation ).

It seems you're pretty heavy on security. If you need to share data from site 1 to site 2, you should do it through a single consumption bridge:

1). Click on a link on Site 1 to a handler file, let's call it redir.php.

2). Redir.php first checks the existing session data.

3). Redir.php writes relevant info into a DB row, along with some sort of identifier (say, an MD5 hash of the user ID + '_'+ current time), plus a 'consumed' flag, set false.

4). Redir.php does a 301 redirect to Site 2, along with the identifier.

5). Site 2 reads the relevant row out of the DB.

6). If the data is good and has not yet been 'consumed', return a success and mark the data as consumed.

7). If the data has been consumed, throw some sort of error.

There are more complex ways of doing this, but I think this handles what you're trying to do.

Answer 2

you could use a common session backend for both sites, eg. store the session in a database

to replace the built-in file backend you can use the function session_set_save_handler