1

My first post - firstly have to say that this site is great - it's helped me many times without me ever having to ask a question. until now!

I run a webapp built using PHP / MySql / JQuery - absolutely everything is loaded / posted using JQuery AJAX - .load() and .post() I have a number of different clients using this webapp, all with sumdomains of the form: client1.example.com, client2.example.com, while example.com is the advertising page.

When I had few clients I duplicated files - eg all necessary files for client1 would be in the folder example/client1/, while client 2 would get an exact copy at example/client2/
As my number of clients grew, I changed the structure so that clients shared common files - now AJAX calls would go from the folder /example/client1 to /example

This was working fine, as each clients subdomain was being redirected to the actual folder - eg client1.example.com is redirected to example.com/client1 This redirection was necessary so that AJAX calls would not fail due to browsers' Same Origin Policy.

The problem that this causes is that common users between different clients would be able to see information from the other systems by changing their URL after login eg from example/client1 to example/client2, due to PHP sessions not being exclusive - each client was perceived as being on the same domain - example.com.
To get around this would be to use subdomains WITHOUT redirection - as this way PHP sessions would be exclusive.
Doing this causes all the AJAX calls to the parent folder to fail due to Same Origin Policy. :(

I have researched this cross domain AJAX request problem and tried a number of different solutions:

1) Tunneling using an iFrame - AJAX object in parent folder - AJAX calls succeed - but same problem occurs with PHP sessions - domain is perceived as example.com instead of client1.example.com

2) Trick of setting document.domain=example.com - doesn't seem to work - this is an old outdated workaround I think

3) Setting PHP headers - header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']); Doesn't work at all

I don't want to use any different libraries for ajax calls.

Currently I've come up with two options:

1) Use the old method of duplicating files for each client, which I'd rather not do as it's a waste of space and makes updating files a pain - I have to replace many files rather than just 1.

2) Use a PHP base file in each client directory which will receive all AJAX calls and then include the requested file from the parent folder. I've tested this and it seems to be working well - so this is the option I'd go with unless someone out there has a better solution?
To elaborate on this option:
Say I'm posting from a page in subdomain: http://client1.example.com
Rather than call $.post'(http://example.com/file.php'); (which will fail)
I call $.post('http://client1.example.com/base.php',{target:'file.php'})
Then from base.php just include('../'.$_REQUEST['target'])

I'm quite happy going with option 2, but it just leads me to wonder is there a better way? *Anyone else experience a similar problem?*

Cheers! J

jeremyj11
  • 589
  • 1
  • 5
  • 15

2 Answers2

0

did you try using cross domain xml

Surace
  • 701
  • 3
  • 8
  • Never heard of it. Just read up on it quickly - I doubt that it would make a difference because ajax requests aren't sent at all by the browser if the Same Origin Policy requirements aren't met - and these ajax requests / browser will know nothing about the crossdomain.xml file – jeremyj11 Sep 14 '12 at 09:24
  • Reading here http://stackoverflow.com/questions/3547102/crossdomain-xml-and-ipad it won't work. – jeremyj11 Sep 14 '12 at 09:27
0

UPDATE

So I went with option 2 - creating a base file in the subdomain which all AJAX requests call, and this base file then uses PHP includes to get the actual target file.

Works very well and is excellent for restructuring the filesystem easily. Will use this method from now on for all future projects!

jeremyj11
  • 589
  • 1
  • 5
  • 15