Can a user session be transferred from one domain to another?

I am facing the reality of having to remove our training site pages from our current domain into a new separate, distinct domain (website) with a different URL. I have created user sessions in our current site which allows our users seamless access to our dynamic pages where they can enroll in our workshops, and access other secured pages.

Is is possible to transfer a user session from our current domain to our new training website (domain) without having the user to log out from one domain and sign in on the other?

Could cookies or javascript be used to transfer the user session?

Thank you.

use a form post to transfer from one domain to another.

for each session variable, create a hidden form element that uses the session as the value.

on the page that the form posts to, use the set session value to set each session variable using the form post.

Here is the form post I have come up with:

<form id="form" method="post" action="http://www.mycorpu.org/index.php">
<input name="UserID" type="hidden" value="<?php echo $_SESSION['UserID']; ?>">
<a onclick="form.submit();">Corporate University </a>
</form>

As you can see, I am using the UserID session variable to pass the user session over to the other domain. However, I am uncertain if just passing the UserID session variable is sufficient to pass the user session. As you may recall from my original post, I would like the user (once logged in) to seamlessly transfer from the domain they are signed into to the other domain (mycorpu.org) without having to resign in.

You stated in your previous post that on the page the form posts to, I would need to use the set session value to set each session variable using the form post. On the page where the form is supposed to post to, I used the eCart set session value and here is what I came up with:

<?php
if (!session_id()) session_start();
if((isset($_GET['UserID']) && $_GET['UserID'] != "")) {
$_SESSION["UserID"] = "???";
}
?>

As you can see above, I placed (???) in the value area. I am uncertain as to what goes here. Am I to insert the actual User Session Variable in the value field?

your form is using the POST method, so the code for the trigger:
if((isset($_GET['UserID']) && $_GET['UserID'] != "")) {

will not work, it needs to use the post method also:
if((isset($_POST['UserID']) && $_POST['UserID'] != "")) {


the value you use for setting the session, is the form post value:

$_SESSION["UserID"] = $_POST['UserID'];

Thank you, Jason. I will give this a try, per your instructions.

Just a thought, if the user session is successfully passed onto the other domain, will the user be able to access content which has SA access rules applied to them? The other domain that the form posts to includes several pages where SA access rules have been applied - where a specific userLevel is required to access such content. In this case, the UserID that is being passed is associated with a recognized userLevel.

as long as you pass all sessions that are needed, and use the same names, the security assist access rules should work.

The recommendations you provided worked out fine. I was able to successfully pass both the UserID and userLevel session variables over to the other domain. And, I was able to access pages where SA access rules appeared to apply.

However, I noticed a side affect that I did not anticipate. After I had passed the user session over to the other domain, I noticed that the profile information of the user could not be seen, such as the user's first or last name, email address, etc. I can only conclude that passing just the UserID session variable does not necessarily mean I can access the user profile contact data. When I attempted to access the user profile.php page, the page displayed a message that it could not find a profile.

Is my understanding correct?

how is the recordset on the user profile page configured?

It probably uses another session that is not being passed. It sounds like there are other sessions you are using on the one domain that are not being passed to the other.

Here is how the records set is configured on the profile.php page:

<?php
$ParamUserID_WAATKusers = "-1";
if (isset($_SESSION['UserID'])) {
$ParamUserID_WAATKusers = (get_magic_quotes_gpc()) ? $_SESSION['UserID'] : addslashes($_SESSION['UserID']);
}
mysql_select_db($database_localhost, $localhost);
$query_WAATKusers = sprintf("SELECT users.*, Level FROM users INNER JOIN userlevels ON users.userLevel = userlevels.ID WHERE UserID = %s", GetSQLValueString($ParamUserID_WAATKusers, "-1"));
$WAATKusers = mysql_query($query_WAATKusers, $localhost) or die(mysql_error());
$row_WAATKusers = mysql_fetch_assoc($WAATKusers);
$totalRows_WAATKusers = mysql_num_rows($WAATKusers);
?>

Here is what the current domain is passing over to the other:

<form id="form" method="post" action="http://www.mycorpu.org/index.php">
<input name="UserID" type="hidden" value="<?php echo $_SESSION['UserID']; ?>">
<input name="userLevel" type="hidden" value="<?php echo $_SESSION['userLevel']; ?>">
<a onClick="form.submit();">Corporate University </a>
</form>

Other than the userLevel and UserID, there are no other sessions (supposedly) being passed.
When I stated in my other post that I was able to successfully pass the variables over, I noticed that (at least) the userLevel session was passing, since I was able to access content secured by SA. The shopping cart was also able to recognize the userLevel session, as it applied the correct discounts and passed me to PayPal without login. It is possible that the UserID session may not be passing over, since it appears I could not see the user profile data.

Thoughts?

on the profile, add the following code at line 1:

<?php @session_start(); ?>

then in the body add this code for troubleshooting:

<pre><?php var_dump($_SESSION); ?></pre>
<?php echo($query_WAATKusers); ?>