I have a Laravel 6 site, and a legacy Drupal 7 site. Both are served under the same domain, and both share the same user database table.
I'd like users to be able to log in via Laravel (never via Drupal) and then browse between the two systems freely, being logged into both.
Rather than attempt to reverse-engineer one or both systems' session handling in order to implement it in the other, I have come up with an alternative. The idea is to embed a very simple page from system A into an iframe in each page served by system B and vice-versa.
Laravel could load a Drupal page such as /session-check?token=12345. Drupal would recognise this token (using a shared db value, shared app secret, or private SSL key perhaps?) and log the user into Drupal, if not already. Otherwise it would just refresh the (Drupal) session lifetime. Thus sessions in both systems would initiate at pretty much the same moment, and stay fresh for the same timeframe. In all other respects the sessions would be independent, and entirely native to their original system.
Drupal would only need to load a very simple page from Laravel which refreshes Laravel's native session. Thus if you browse only Drupal pages, Laravel's session is still kept fresh.
I have all this working just fine, using a simplistic token mechanism, but wanted to ask the following:
- am I overlooking potential security implications
- are there suggestions on the best "shared token" method in this case, given that the two apps can access each others' cookies and databases.
I've read you should never attempt "home-grown" security, but it seems my scenario is sufficiently unique that the usual options aren't exactly what I'm after. That said, I'm keen to integrate existing solutions where possible, at least for the token system.
