File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes Session sharing (JSP-PHP) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Session sharing (JSP-PHP)" Watch "Session sharing (JSP-PHP)" New topic

Session sharing (JSP-PHP)

Gary Smith

Joined: May 05, 2004
Posts: 1
Hi there,
first, let me say that I don't know anything about PHP.
Second, here's the problem :
We have 2 web applications.
The first one is a user registration application made in PHP, that runs under Apache.
The second one is the 'main' application, made in JSP and running on Tomcat.

We would like to be able to share information between both applications so the user would not have to log back into one system if he was already logged in the other. Is there an existing mechanism to do such a thing? If not, is it possible to implement something simple to do so? Do you see any problem with such a thing?
I know we can do something similar to share information between various webapps on a single Tomcat server, but can this be done with an Apache webapp and a Tomcat webapp?
Thanks in advance!
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

'Java Noob'

Check out our name policy:

As for your problem: PHP sessions are different 'objects' than JSP sessions, and are stored in their respective containers. Are you looking to access something that was stored in a JSP session, on the PHP side, and vica-versa, or are you merely looking for 'single sign on', which involves only authentication, while not implying "same session".?

The tomcat mechanism you alude to is for single sign on, but I don't believe this is the exact same thing as 'sharing session'.

One thing you might consider is storing the 'session' state in a database, and have both apps consult this database for sessions. But if you're going that far, you might as well re-write the PHP app as a JSP app (or vica versa).
Consuela Nadirnyata

Joined: May 07, 2004
Posts: 1
Hello there!
I have a similar problem than the one described by java noob.
1st, we have our main product, wich is a JSP site (on Tomcat, but accessible through Apache via mod_jk).
2nd, we have our user registration site that is written in Php (on Apache).
Users will access our JSP site, and if they want to edit their user's profile, they will be forwarded to the Php site. We'd like them not to have to re-enter their login and password, as it makes things look a lot less professionnal.
Another issue, is that we don't force users to login on the JSP site (we don't use tomcat's security mechanism). All pages are accessible to 'guests', but with less features than for registered customers . Our login is performed via a simple struts action, that authenticates the user and store his profile in his session. Once this is done, if the user wish to edit his profile or his subscription, he can click on a link and be forwarded to the Php site.
We'like to implement something that could tell the Php site that the user was already loged in.
any thoughts on how this could be done?
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

Well, if you're not using any of the Tomcat A&A (Authentication & Authorization) stuff, then I'm assuming you consider a user logged in if they put a username and password into a form. Then you create whatever objects you want, and stick them in the session. Or you do it through a Struts action. (I'm not familiar with Struts).

You could *fake* a PHP login by doing something tricky when the user logs in through the struts action. either throw a page to the user that contains javascript to submit a hidden form on load, that would basically log them in to the php app. so something like:

1) show page that logs person in to JSP
2) process JSP login
3) send a page to the browser that automagically submits to the PHP login
4) process PHP login
5) send them back to the JSP site.

So now they're logged in both places.

you might also accomplish this through using HTTPUrlConnection directly. This means you wouldn't rely on javascript on client side, and your steps would collapse to:

1) show JSP login page
2) process JSP/PHP login
3) show JSP site.
Brahim Bakayoko
Ranch Hand

Joined: Aug 29, 2003
Posts: 155

SCJP, SCWCD, SCBCD, IBM CSD WebSphere v5, <br />A+, MCP 2000 and 2000 server, CST, and few incompleted certification tracks.<br /> <br />Ivory Coast<br /> <br />Analyze your web Request/Response @ <a href="" target="_blank" rel="nofollow"></a> down for a while...
Bruno Dery
Ranch Hand

Joined: Oct 05, 2003
Posts: 37
Yea we have the same exact problem!
What we came up as a solution is depends on the scenario. If you log into the php side, we call our struts action with an extra parameter for the user ID who logged in using a php function called fopen which can open up URLs just like normal files, and the good thing is this happens on the server-side so the user ID isnt exposed at all on client side.
From Java to Php we use the HTTPUrlConnection which is the equivalent of php's fopen, and it still hides all this from the client-side, users wont notice anything.
You need to do the same thing for logout unfortunatly to keep things consistent. Otherwise people might logout in java but still be logged in in php.
Cookies might be an option, but you would have to be careful to set the timeout fairly quick to avoid a security problem, I guess. I'm not a pro at cookies but I would think anything on the client-side is modifyable by a clever user and hence could be a security breach.
Bruno Dery
Ranch Hand

Joined: Oct 05, 2003
Posts: 37
Also as a side note I dont know if there's any way to make this more secure, because basicly what it means is that somebody could by chance type in the url for example and would login the person with userid 1. This is not very secure, but again our application doesnt need military type security. Still if there's a better way to do this please post
Bruno Dery
Ranch Hand

Joined: Oct 05, 2003
Posts: 37
Maybe there's a way to check that the server called himself via the referrer or something? Like this kind of login could accept this parameter injection only from localhost?
Warren Dew
Ranch Hand

Joined: Mar 04, 2004
Posts: 1332
Bruno, why not just pass in the password that the user provided along with the user ID?
Ashik Uzzaman
Ranch Hand

Joined: Jul 05, 2001
Posts: 2373

What about sharing session objects throughout multiple web applications (separate war files) (acting as a single application for consistent look and feel) under single applicaiton server? Generally it should have no problem unless multiple JVMs are used, right?

Ashik Uzzaman
Senior Software Engineer, TubeMogul, Emeryville, CA, USA.
I agree. Here's the link:
subject: Session sharing (JSP-PHP)
It's not a secret anymore!