The MU forums have moved to WordPress.org

Multi-Site Manager & Cookies Issues (14 posts)

  1. Trent
    Member
    Posted 14 years ago #

    I have read every single thread I can find about domain mapping and cookies. I think if I would have just setup blogs and then changed them over to have the domain mapped, I would have been better off, however I have the following questions.

    I created my domain1.com WPMU install. I then installed the Multi-Site Manager plugin and created new sites (several domains) with it using parked domains. Everything is working great but the cookies.

    As I didn't create a blog domain2.domain1.com and then add domain2.com to it, I am plagued with the "no single cookie" issue.

    Anyone have any ideas how to get cookies working now that I have created my domain mapping this way and don't have a blog on domain1.com to fall back on for cookie support?

    Trent

  2. lunabyte
    Member
    Posted 14 years ago #

    You mean something like a single cookie for all domains?

    It doesn't quite work like that. You can't set a cookie for domainA, and expect domainB to be able to read it. Can you think of the security nightmare that would ensue? Like thieves reading the cookie your bank set?

    In a similar fashion, domainA can't also set a cookie for domainB.

    In other words, when you're on domainA and its blogs you'll have to log into domainA, and the same for domainB. Your login will be the same (user/pass), but you'll still have to log in.

  3. Trent
    Member
    Posted 14 years ago #

    That is partly my conclusion because of the way I set the system up. I don't plan on changing my setup, but for sake of argument would it have worked if I would have:

    1) Had all blogs as a variation of all blogs having to be username.domain1.com so that all cookies were based off domain1
    2) Used a redirect solution for the domains versus this plugin to keep rule 1) intact
    3) Don't allow wildcard DNS on the mapped domains.

    That would make it closer to what wordpress.com has setup because even though they have domain mapping, the admin really isn't domain2.com/wp-admin/ but rather username.domain1.com/wp-admin/ even though the end result turns out for domain2.com for users.

    Hope that makes sense and I appreciate the comments lunabyte! : )

    Trent

  4. lunabyte
    Member
    Posted 14 years ago #

    Sure, it makes sense.

    Problem being, the system just doesn't work that way with the current core.

    Even using a rewrite rule to map it to a specific blog as user.main-domain.tld, still let's the browser "think" it's on domainb.tld instead. Regardless if it is techinically served by main-domain.tld.

    There are some ways around this, but they are not for the faint of heart.

    In my head I have a pretty good idea of how wp.com is pulling it off. I might be wrong, since I obviously can't read the actual source, but from what once can see in the output source code that is sent to the browser it's a logical deduction based on that content.

    At least a "big picture" of how it's being done anyway. Kind of like looking at a car, and knowing that it has a motor which turns a shaft, that makes the wheels move. You might not know how the actual inner workings are put together (OK, you could take a motor apart, but you get the idea) but you do know the basic principles involved to put together a logical idea of the basics of getting from point a to point b.

    So really, it doesn't exactly matter how you have it set up. Cross-domain is still cross-domain. If the browser is told it's on domainb, then that's what it's on.

    I will say that parts of domain mapping are much easier and faster with your site running on its own private server. But that's server configuration stuff, and unless you have a ton of domains, it really doesn't make much difference in terms of mapping.

  5. Trent
    Member
    Posted 14 years ago #

    Good points and interesting reading :) I knew after your first post that I was going to be using the configuration that I have now since "complicating" the issue really is more of a pain in the backside versus just having users login and set 3 cookies if they are part of 3 domains. You are right that a combined cookie really isn't a big deal when the user is still there to login on each domain at least!

    Cheers lunabyte.

    Trent

  6. lunabyte
    Member
    Posted 14 years ago #

    Well, that's part of the thing. You could pass them around to every domain through a script, and log them in (and then out as well), but that could be potentially disastrous as they bounce from domain to domain.

    You can really combine a cookie, either. It's for one domain, and one domain only.

    Things can be done however, that are transparent (visually, without looking through the source for clues) to the end user. Granted, they are a bit more involved then just setting cookies.

  7. andrea_r
    Moderator
    Posted 14 years ago #

    but once they've logged in once to all the sites and set the cookie to remember their info, they should still stay logged in to all of 'em. :D

  8. lunabyte
    Member
    Posted 14 years ago #

    Yes, that is correct. But I believe the topic is about keeping someone logged in across various domains, without having to initially log into each one.

    If you only have a couple, it probably isn't a big deal, but when you get into more than a handful it becomes a pain in the ass.

  9. zappoman
    Member
    Posted 14 years ago #

    Lunabyte,

    Would you be willing to share your specific ideas on how to handle setting cookies in multiple domains transparently? I am assuming you're suggesting something like having a resource on the login page that pings the other domain...

    But I'm having a hard time wrapping my head around this.

    What I really want is:

    1) Main domain - lets call it uberblognetwork.com
    2) hosted TLD domain - lets call it hostedpartner.com
    3) When some logs in to hostedpartner.com we want them to be logged in to both hostedpartner.com and uberblognetwork.com.

    Note: In the case where someone logs into uberblognetwork.com we are happy to just have them logged in there. We don't need to pass cookies the other way.

    My thought is to redo wp_setcookie() to call php's setcookie() on both domains... but I know that's not enough to actually get the cookie set, I know I need to get a resource being served off of the second domain to actually set the cookie. I guess I could make sure a "pixel" from the master domain is served up by every page on the partner domain... and I guess I could use session variables to make sure that that pixel sets the logged in cookie appropriately...

    But I admit my head is spinning trying to figure this out.

    Mind throwing a dog a bone?

  10. MrBrian
    Member
    Posted 14 years ago #

    You can't set cookies for other domains for security reasons.

    You could do it by creating a custom php file hosted at hostedpartner.com that receives the login info from uberblognetwork.com each time a user logs in. The php file would then receive the username and password hash and set the cookie on hostedblognetwork based on that. Now both domains have the same cookie set.

  11. zappoman
    Member
    Posted 14 years ago #

    Mr.Brian,

    Yep, I know that the cookie spec makes this point clear and all browsers and servers are designed to prevent this kind of a break.

    So I know I need to have a resource from each domain get returned by the server in order to set the cookie... I'm just trying to sort out how to accomplish that goal.

    Turns out that hostedpartner.com is running on the same server(s) as uberblognetwork.com [that's why I'm calling them hostedpartner]...

    What I'm struggling with is how to make the login process transparent...

    So there's a <form> on hostedpartner.com, the user clicks submit, cool... the returned page from hostedpartner.com is able to set the cookies for hosted partner... Everything's groovy there.

    I guess what I'm also supposed to do is have a "pixel" from uberblognetwork.com embeded inside of the response page on hostedpartner.com.

    I haven't tried it yet, but I'm having a hard time believing that php is going to set me call setcookie() for the second domain within the POST response from the first domain so that when the pixel is return it will be set... that's what I'm struggling with.

  12. zappoman
    Member
    Posted 14 years ago #

    Ok, I figured out a solution that works for my use case.

    I have a modified version of wp-login (actually I wrote a plugin that mimics the login url).

    To implement the feature I describe above added a new "action" verb called "passthrough_login". This param assumes that "user_login", and "pwd" will be passed on the url.

    I then changed the code to noticed this multi-domain login case and use a redirect_to that points to the piggybacked domain with the passthrough_login action param.

    I md5 the password on the wire so that it's a little more secure (although I can see some sercurity issues with this and the manner in which wordpress normally does cookie login, but I guess if it's good enough for normal wordpress then it should be good enough in this case).

    This system could be used to handle more than 2 domains as well, if you just keep encoding the redirect_to's to include this passthrough_login parameter and the credentials.

  13. MrBrian
    Member
    Posted 14 years ago #

    Good solution, similar to what i was thinking :). The fundamental method is the same (passing login parameters to both domains).

  14. zappoman
    Member
    Posted 14 years ago #

    Oh yeah, one other point of interest for anyone who attempts to do this.

    Wordpress does some interesting stuff when it comes to passwords stored in cookies which are then passed to the same login functions as passwords typed in by users.

    Namely, the passwords stored in cookies are md5'd... makes sense. Then many of the api's that take passwords also take a param that indicates that the password has already been md5'd.

    Anyway, this was messing with my head for a couple hours because if you call one api (like wp_login) with the param and you don't call other apis (like wp_setcookie) with the param, then all hell breaks loose. I actually had to double md5() the password when typed in by the user... I honestly don't know why... but I got it working, so I stopped trying to twist my head around the logic of it all.

    The point is, if you attempt to mess with this, and it doesn't work for you... then just triple check your passwords and their md5ness...

    Good luck.

About this Topic