How to Migrate Cookies Across Domains in Joomla

Let’s say that you own two Joomla websites, and you want to unify the login for these sites – in other words, whenever someone is logged in to one site, then you want him to be automatically logged in to the other. The process of unifying login across multiple is called “cookie migration”, and is done by many large companies, such as Google, Yahoo, and others. Generally, companies do the cookie migration if they want their users to be logged in to a subdomain as well as to the main domain (for example, you might want your users to be automatically logged in to store.yourjoomlawebsite.com if they’re already logged in to yourjoomlawebsite.com) or if they want their users to be logged in to a regional website when they’re logged in to the main website (for example, you might want your users to be automatically logged in to yourjoomlwebsiteusa.com if they’re already logged in to yourjoomlawebsite.com).

Of course, for those with no-technical experience, the above might seem like a trivial task. But any programmer can tell you that the above is a daunting task! We did it ourselves several times and we can say that it’s not an easy task!

There are several methods to do the cookie migration across multiple domains, and each method has its pros and cons…

Method #1: Pass a unique hash in the URL

This method consists of passing a unique hash in the URL that will tell the server that this person is already logged in on the first domain, so you need to log him in on the second domain. The way to do this is by creating a field called hash in the jos_session table, setting the hash to a unique string (using md5() and microtime()), and then adding the hash to the URLs linking to the other site if the user is not already logged in there. When the user clicks on any URL pointing to the other site, then a hash-check is made, and the user will be automatically logged in on the other site (there will be a script that handles this login on the other website based on the hash).

Pros

  • Easy to implement: This method will only take about 8 hours to implement.

  • Easy to understand: The logic behind this method is very straightforward.

Cons

  • Both websites have to share the same server (if not the same database): At one point, the hash-based login script will need to check the table of the other website to see if that hash exists or not, and if the user is logged in or not. If the database of the first website is not accessible by the second website, then the check will fail, and the migration will not happen.

  • Not very secure: The hash can be considered as a mixture of the username and password of the user in just one string. If that hash is stolen while the user is logged in (in one way or another), then the “cookie thief” will be able to login using the hash from another computer (without even knowing the username and password).

  • Not elegant: Imagine having 32 or 64 of meaningless characters in every URL of your website. We don’t think that’s very elegant!

Method #2: Use client-side and server-side code to set the cookie on the other website

Since both websites are under your control, then you can use HTML/PHP code in order to set the cookie on your other Joomla website. So, the first time the person logs in to the first website, you can add the following code:

<img src="http://www.yourotherjoomlawebsite.com/setcookie.php?cookie=same_cookie">

The above code calls the setcoookie.php file on your other website, this file will ensure that your other website is able to share the cookie with the first website. Again, this method has pros and cons…

Pros

  • Elegant: This method is elegant as you don’t have to deal with ugly URLs and you don’t have to change links across the board on your website(s).

  • Fast to deploy: Once the setcookie.php file is created, then you can deploy it on as many websites as you want, and they’ll be able to share the login. Adding the setcookie.php code (with the img src=…) can be easily done using a Jumi module.

Cons

  • Still the same problem with database accessibility: The database where the session information is stored must be accessible by all websites that want to share the same login. This means that it’ll be really hard to unify the login when the websites do not share the same database or worse, do no share the same server!

  • Might be open to security issues: Having a file that is responsible for setting cookies can open up a whole can of worms when it comes to website security – even if the file itself is very secure.

  • Might be blocked by the browser: Some browser settings will not allow PHP code from remote websites to be executed as part of the HTML.

Method #3 – Logging in the user to multiple websites at the same time

This method is probably the best one, because it overcomes the database limitation. This method requires (similarly to the first method) editing a core Joomla file, which is controller.php, located under /yourjoomlawebsite/components/com_user. The programmer has to “post” the username and password to the other website(s) immediately after the following lines:

if(!JError::isError($error))
{

So, whenever someone logs in to one website, he’s automatically logged in to all other websites, and then redirected back to the website he initially logged in from.

Pros

  • By far the most elegant and efficient solution to unifying the login: This method doesn’t suffer from database limitations – the websites can be anywhere – the only thing that needs to be shared between these websites is the users tables (which can be synced in many ways – even if these websites reside on completely different servers). Additionally, the user is actually being logged in to all these sites (but the system is doing it for him behind the scenes) – there is no hack used to do this.

  • Simple concept: The concept of this method is simple, we are logging in the user to all the websites once he logs in to one.

Cons

  • The most complicated method of all: While it’s the most elegant method, it’s also the most complicated method. Let’s say that we have 3 websites that we need to automatically login the user to once he logs in to one of them. So, the user logs in to Website A, which posts the login information to Website B, which then posts the login information to Website C. But, what should Website C do? Should it post the login information again to Website B that should the same information (again) to Website C? When to stop? Obviously, this method if done carelessly can lead to an infinite redirection between sites – which will eventually crash the server(s).

  • Requires the modification of core Joomla files: What if you want to upgrade your Joomla website? The modifications done on some of your core Joomla files may be overwritten by the upgrade, or, even worse, they may conflict with your upgrade.

  • It’s not really cookie migration: What we’re doing here is that we’re forcing login on every website (which may be a sub-domain or a totally different domain), we’re not migrating the cookies and we’re not even looking at the cookies.

  • Will only work if the users’ data is identical: This method can only work when the users’ data on all sites is identical. So this means that while this method works if the websites do not share the same database, it will not work at all if the users’ usernames and passwords are not identical on all websites.

Cookie migration across domains is one of the most delicate and complicated issues on the web, and not only Joomla. If you have multiple Joomla websites that you need to unify the login on, then we’re here to help. Just contact us and let us prove to you how efficient, fast, and creative we are! (PS: Don’t worry about our fees, they are very reasonable!)

No comments yet.

Leave a comment