PHP Sessions in Subdomains

Question

PHP Sessions in Subdomains

I am trying to configure the following:

auth.domain.com sub1.domain.com sub2.domain.com

where if a user visits sub1.domain.com or sub2.domain.com and they are not logged in, they go to auth.domain.com and can log in. sub1.domain.com and sub2.domain.com are two separate applications, but use the same credentials.

I tried to install the following in my php.ini:

 session.cookie_domain = ".domain.com"

but it does not seem to transfer information from one domain to another.

[change]

I tried the following:

sub1.domain.com/test.php

 session_set_cookie_params(0, '/', '.domain.com'); session_start(); print session_id() . "<br>"; $_SESSION['Regsitered'] = 1; echo '<a href="http://auth.domain.com/test.php">Change Sites</a>'

auth.domain.com/test.php

 session_set_cookie_params(0, '/', '.domain.com'); session_start(); print session_id() . "<br>"; $_SESSION['Checked'] = 1; print_r($_SESSION);

Session IDs are exactly the same, but when I output the $ _SESSION variable, it does not display both keys, only any key that I set for each domain.

[Change 2]

I updated [Edit]

+88

authentication php session cross-domain

dragonmantank Jun 30 '09 at 15:12

source share

17 answers

jeroen · Answer 1 · 2009-09-22 00:35

I don't know if a problem exists, but I just ran into the same problem and decided to set its name before calling session_set_cookie_params ():

 $some_name = session_name("some_name"); session_set_cookie_params(0, '/', '.some_domain.com'); session_start();

I have not changed anything in my php.ini, but now everything is working fine.

drewm · Answer 2 · 2011-06-25 12:49

One thing that might mysteriously prevent session data from being read in a subdomain, even though cookies correctly configured on .domain.com are a PHP Suhosin patch. You can configure everything correctly, according to the examples in the question, and it may just not work.

Disable the following Suhosin session settings and you are back in business:

 suhosin.session.cryptua = Off suhosin.session.cryptdocroot = Off

George Claghorn · Answer 3 · 2009-06-30 15:17

Try using:

 session.cookie_domain = "domain.com"

Instead:

 session.cookie_domain = ".domain.com"

Pay attention to the missing period.

Be careful with this because it is not supported by all browsers.

Valentin Florea · Answer 4 · 2013-12-03 14:10

If this is the exact problem - I wanted the session values created on x.example.local to be available on example.local and vice versa.

All solutions found speak of changing the domain of the session using php_value session.cookie_domain .example.local in .htaccess (either through php.ini or through ini_set).

By trick, I set session.cookie_domain for all subdomains (still good), as well as for the main domain. Setting session.cookie_domain in the main domain does not seem to matter.

Basically, how it worked for me:

set session.cookie_domain for ALL SUBDOMAINS.
do not set it for the main DOMAIN

Oh yes, please make sure the domain has a TLD (in my case .local). The Http protocol does not allow cookies / sessions to be stored in a domain without .tld (that is, localhost will not work, but stuff.localhost will).

EDIT . Also make sure that you always clear your browser cookies during testing / debugging sessions on subdomains. If you do not, your browser will always send an old session cookie, which probably does not yet have the correct cookie_domain. The server will revive the old session, and therefore you will get false negative results. (in many posts he mentioned using session_name ("stuff") for the same effect)

xtds · Answer 5 · 2012-04-12 17:27

I solved it like this:

 ini_set('session.cookie_domain', '.testdomain.dev'); session_start();

Because I worked on localhost

 ini_set('session.cookie_domain', '.localhost');

didn't work , it sees .localhost as the top layer instead of .com / .local / ... (I suspect)

I also used .dev because working with OS X does not seem to allow .com as first in HOSTS

Andrii Nemchenko · Answer 6 · 2013-11-17 07:03

Use it for each domain / subdomain:

 session_name('name'); ini_set('session.cookie_domain', '.example.com'); ini_set('session.save_path', '/var/lib/php/session'); session_start();

The path for session.save_path may be different for your case, but it should be the same for each domain / subdomain. By default, this is not always true.

Terry Lin · Answer 7 · 2015-05-12 17:56

I confirmed. joreon answer is correct. I can not comment, because my reputation is not enough, so I post my comment here.

Define a constant in the configuration file. If you want to change it, you do not need to change whole files.

 define('ROOT_DOMAIN', 'mysite.com'); define('PHP_SESSION_NAME', 'MYSITE');

The name of the session cannot consist only of numbers; at least one letter must be present. Otherwise, a new session identifier is generated each time.

Use the following code to start using a session

 session_name(PHP_SESSION_NAME); session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN); session_start();

I am using this function:

 function load_session() { if (session_status() == PHP_SESSION_NONE) { session_name(PHP_SESSION_NAME); session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN); session_start(); } else { if (session_name() != PHP_SESSION_NAME) { session_destroy(); session_name(PHP_SESSION_NAME); session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN); session_start(); } } } load_session(); // put it in anywhere you want to use session

Ivan · Answer 8 · 2010-10-05 20:22

Use this, it works:

 ini_set('session.cookie_domain', substr($_SERVER['SERVER_NAME'],strpos($_SERVER['SERVER_NAME'],"."),100));

Limitless isa · Answer 9 · 2014-08-28 16:26

Subdomain and Root Domain Cookie Sessions Combined Use

Resource: http://php.net//manual/tr/function.session-set-cookie-params.php

I tested the work

 sub.exampledomain.com/sessionadd.php?id=123 exampledomain.com/sessionview.php // 123

- Codes

 <?php $currentCookieParams = session_get_cookie_params(); $rootDomain = '.example.com'; session_set_cookie_params( $currentCookieParams["lifetime"], $currentCookieParams["path"], $rootDomain, $currentCookieParams["secure"], $currentCookieParams["httponly"] ); session_name('mysessionname'); session_start(); setcookie($cookieName, $cookieValue, time() + 3600, '/', $rootDomain); ?>

Thomas · Answer 10 · 2009-06-30 15:18

I understand that you do not want something like OpenID, as Joel suggests, but you want to have access to session data across multiple domains.

The only possibility that I can consider as a solution to this problem is to store the session data in the database and pull it out of this database.

Ian · Answer 11 · 2012-01-17 16:46

I know this is old, but it works great for me with multiple domains and subdomains in one window.

 <?php define('site_domain','domain.com'); session_set_save_handler('_open', '_close', '_read', '_write', '_destroy', '_clean'); function _open(){ global $_sess_db; $db_user = 'user'; $db_pass = 'pass'; $db_host = 'localhost'; if ($_sess_db = mysql_connect($db_host, $db_user, $db_pass)){ return mysql_select_db('database', $_sess_db); } return false; } function _close(){ global $_sess_db; return mysql_close($_sess_db); } function _read($id){ global $_sess_db; $id = mysql_real_escape_string($id); $domain = mysql_real_escape_string(site_domain); $agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT'])); $sql = "SELECT data FROM sessions WHERE id = '$id' AND domain = '$domain' AND agent = '$agent'"; if ($result = mysql_query($sql, $_sess_db)){ if (mysql_num_rows($result)){ $record = mysql_fetch_assoc($result); return $record['data']; } } return ''; } function _write($id, $data){ global $_sess_db; $access = time(); $id = mysql_real_escape_string($id); $access = mysql_real_escape_string($access); $data = mysql_real_escape_string($data); $domain = mysql_real_escape_string(site_domain); $agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT'])); $sql = "REPLACE INTO sessions VALUES ('$id', '$access', '$data', '$domain', '$agent')"; return mysql_query($sql, $_sess_db); } function _destroy($id){ global $_sess_db; $id = mysql_real_escape_string($id); $domain = mysql_real_escape_string(site_domain); $agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT'])); $sql = "DELETE FROM sessions WHERE id = '$id' AND domain = '$domain' AND agent = '$agent'"; return mysql_query($sql, $_sess_db); } function _clean($max){ global $_sess_db; $old = time() - $max; $old = mysql_real_escape_string($old); $domain = mysql_real_escape_string(site_domain); $agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT'])); $sql = "DELETE FROM sessions WHERE access < '$old' AND domain = '$domain' AND agent = '$agent'"; return mysql_query($sql, $_sess_db); }

? >

user953985 · Answer 12 · 2012-12-21 03:55

I read all the answers above, I think my answer is useful for people who come to this game.

* Make sure browsers send session cookies to servers (domain and subdomains), set the session cookie for the domain as ".example.com".

* Make sure php finds the correct "target" to restore var session - If the domain and subdomains point to the same computer (possibly different virtual hosts), make sure that "session_save_path" is the same for everyone (I tested) - If the domain and subdomains point to different machines, a common storage (for example, a database) is best for saving and restoring session data (I have not tested it yet). To do this, use "session_set_save_handler".

mohsin.mr · Answer 13 · 2014-07-09 10:50

Just try using the following code just above the session_start() method

 $sess_life_time = 21600; //in seconds $sess_path = "/"; $sess_domain = ".you-site-name.com"; $sess_secure = true; // if you have secured session $sess_httponly = true; // httponly flag session_set_cookie_params($sess_life_time, $sess_path, $sess_domain, $sess_secure, $sess_httponly);

Willian Santana · Answer 14 · 2016-07-26 19:06

I had a similar problem, however this solution was useful for me, maybe it will help others in the future

edit php.ini

session.cookie_domain = ".example.com"

the magic is here

 suhosin.session.cryptdocroot = Off suhosin.cookie.cryptdocroot = Off

https://www.sitepoint.com/community/t/sessions-across-subdomains-domain-com-phpsessid-changes/3013/19

user3232196 · Answer 15 · 2016-11-03 17:13

I can't speak for other versions of PHP, but in 5.6.6 just setting session.cookie_domain in the php.ini did the trick to allow all my iPage subdomains to use the same set of session variables.

Be sure to delete all existing cookies related to your domain from your browser in order to verify.

 session.cookie_domain = '.yourdomainname.org'

Oh, I don’t know if that matters, but I also use autorun session.

 session.auto_start = 1

Arijeniwa Oluwahsunday · Answer 16 · 2019-07-18 19:11

Please, in my case, I have a domain on the server. I created a wildcard subdomain to accept any subdomains. Now, when trying to log in with a subdomain, session_start refuses to register. I could not access the session data. What's wrong

sakabako · Answer 17 · 2009-06-30 18:58

A quick and dirty solution is to use this for your redirect:

 header( $url.'?'.session_name().'='.session_id() );

this will add something along the line: PHPSESSID = etnm7kbuf5lg0r6tv7je6ehtn4 to the URL that tells PHP the session identifier that it should use.

PHP Sessions in Subdomains

More articles: