Shared sessions across two domains

  • Hi! I created two installations at different domains, Site1 and Site2. Files are hosted on separate servers but they share a database and the same users tables. So far so good, but I’d like to synch login sessions… I’ve been playing around with cookie domain and path settings in wp-config for Site2 but no luck so far. Setting the cookie domain to Site1’s url gives me a “must enable cookies to use WordPress” error.

    They’re both the latest version of WordPress, with forced SSL via .htaccess

    Thanks for any help!

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    No browser is going to send auth cookies for one domain to another domain. It would be a major security vulnerability. WP does not use PHP sessions, authorization is done solely with cookies. WP does use something called sessions, but it’s not the same as PHP sessions. AFAIK, they are not used for user authentication anyway.

    Each domain must set its own auth cookies. I don’t see how you can avoid two logins, however, the second login could be automated, so from a UX perspective, it’s a single login. There could be cross site scripting restrictions to deal with, but I think they are resolvable.

    The other problem you will run into is the password hash stored by one site will not match that from the other site, even though the plaintext is the same. Password verification on one site or the other will always fail. One way you can maybe get the hashes to match is to have both sites use the same set of salts in wp-config.php. The server also clocks need to be closely matched. There could be other factors I’m not familiar with causing different hashes. Having two sites with the same salts is not recommended, it creates a security vulnerability.

    You may be better off having one site maintain its password hashes elsewhere, such as user meta. Or build an Auth API on one site that does the verification for the other, similar to how we can login to various sites with our Google or Facebook credentials.

Viewing 1 replies (of 1 total)
  • The topic ‘Shared sessions across two domains’ is closed to new replies.