PHP Sessions across sub domains
Solution 1
I do not know if the problem still exists, but I just ran into the same problem and solved it setting a session name before calling session_set_cookie_params():
$some_name = session_name("some_name");
session_set_cookie_params(0, '/', '.example.com');
session_start();
I have changed nothing in my php.ini but now everything is working fine.
Solution 2
One thing which can mysteriously prevent session data being read on a subdomain, despite cookies being correctly set to .example.com is the PHP Suhosin patch. You can have everything configured correctly, as per the examples in the question, and it can just not work.
Turn the following Suhosin session settings off, and you're back in business:
suhosin.session.cryptua = Off
suhosin.session.cryptdocroot = Off
Solution 3
Try using:
session.cookie_domain = "example.com"
Instead of:
session.cookie_domain = ".example.com"
Note the missing period at beginning.
Be careful using this, though, because it is not supported by all browsers.
Solution 4
Had this exact problem - I wanted session values created on x.example.local to be available on example.local and vice-versa.
All solutions I found said to change the Session domain by using
php_value session.cookie_domain .example.local in .htaccess (or via php.ini or via ini_set).
The catch was I was setting the session.cookie_domain for all subdomains (so far ok) but also for the main domain. Setting the session.cookie_domain on the main domain is apparently a no-no.
Basically the way it worked for me:
- set the
session.cookie_domainfor ALL SUBDOMAINS. - don't set it for the main DOMAIN
Oh yes, please make sure the domain has a TLD (in my case .local). Http protocol doesn't allow cookies/sessions to be stored on a domain without .tld (ie localhost won't work, but stuff.localhost will).
EDIT: Also make sure you always clear your browser cookies while testing/debugging sessions across subdomains. If you don't, your browser will always send the old session cookie which probably doesn't have the correct cookie_domain set yet. The server will revive the old session and therefore you'll get false negative results. (in many posts it's mentioned to use session_name('stuff') for the exact same effect)
Solution 5
I have confirmed. joreon's answer is correct. I cannot comment because my reputation is not enough so I post my comment here.
Define the constant in a config file. If you want to change it, no need to modify whole files.
define('ROOT_DOMAIN', 'mysite.example');
define('PHP_SESSION_NAME', 'MYSITE');
The session name can't consist of digits only, at least one letter must be present. Otherwise, a new session id is generated every time.
Use the following code to start using session
session_name(PHP_SESSION_NAME);
session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
session_start();
I'm using this function:
function load_session() {
if (session_status() == PHP_SESSION_NONE) {
session_name(PHP_SESSION_NAME);
session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
session_start();
} elseif (session_name() != PHP_SESSION_NAME) {
session_destroy();
session_name(PHP_SESSION_NAME);
session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
session_start();
}
}
load_session(); // put it in anywhere you want to use session
dragonmantank
Love to program in PHP, starting to look into Python and C# as well.
Updated on April 14, 2020Comments
-
dragonmantank about 4 years
I am trying to set up the following:
auth.example.com sub1.example.com sub2.example.comIf the user visits
sub1.example.comorsub2.example.comand they are not logged in, they get redirected over toauth.example.comand can log in.sub1.example.comandsub2.example.comare two separate applications but use the same credentials.I tried setting the following in my php.ini:
session.cookie_domain = ".example.com"but it doesn't seem to be passing the information from one domain to the other.
[Edit]
I tried the following:
sub1.example.com/test.phpsession_set_cookie_params(0, '/', '.example.com'); session_start(); print session_id() . "<br>"; $_SESSION['Regsitered'] = 1; echo '<a href="http://auth.example.com/test.php">Change Sites</a>'auth.example.com/test.phpsession_set_cookie_params(0, '/', '.example.com'); session_start(); print session_id() . "<br>"; $_SESSION['Checked'] = 1; print_r($_SESSION);The session IDs are exactly the same but when I dump out the
$_SESSIONvariable it doesn't show both keys, just whatever key I set under each domain.