My suspect is the project suhoshin session encryption function , this set of patches is included in most debian-based systems. It can be configured to encode the contents of the session file using a key generated from various sources to protect the contents of the session from other php scripts running on the same computer (shared hosting) or session capture. One source is docroot (enabled by default), which usually differs for each subdomain.
Check if installed
A simple phpinfo() will report on the extension and settings, search for a block named suhosin and below to see if suhosin.session.encrypt and suhosin.session.cryptdocroot
Disable encryption
Obviously, you can edit php.ini to disable all encryption or only part of docroot if you have access to the server.
If you do not, and apache is running on the server, try disabling it in the .htaccess file of your php app root as follows:
php_flag "suhosin.session.cryptdocroot" 0
If this works, you should see the difference in phpinfo () output. (Local value column)
If your host does not allow the .htaccess file, you can set the same variable in php, but it is important to do this before session_start() . Hope you have some kind of front controller to host this.
ini_set('suhosin.session.cryptdocroot', 0); phpinfo();
The phpinf output should be the same as in the .htaccess , cryptdocroot method with the local value "Off".