Hello,

I'm trying to share login information (stored in sessions) between 2 subdomains, ie: sub1.example.com and sub2.example.com. Both subdomains are hosted on the same server.

I've tried several things (like using session_set_cookie_params() to set the cookie domain) and just using a custom php.ini, both to set the cookie domain of the session cookie to ".example.com".

On sub1.example.com I have a test script which sets a session (and displays it once it's been set on each page reload). This works fine. I get:


PHPSESSID c6425dc25a99752d980caeac914f7e48

Array
(
[test] => test
)

Array
(
[lifetime] => 0
[path] => /
[domain] => .example.com
[secure] =>
[httponly] =>
)


This is what you get when I output the session name, session ID, below that the contents of $_SESSION and finally the result of session_get_cookie_params(). As you can see, the session is set.

Now when I run this exact same script on sub2.example.com, I get:


PHPSESSID c6425dc25a99752d980caeac914f7e48

Array
(
)

Array
(
[lifetime] => 0
[path] => /
[domain] => .example.com
[secure] =>
[httponly] =>
)


As you can see, same session name/id so you'd think it would work, BUT the $_SESSION array is suddenly empty!

Now when I go back to sub1.example.com after visiting sub2.example.com, I notice that over there the $_SESSION variable is empty too.

Strange. First it's set on sub1, then I visit sub2 and it seems to reset the session instead of using the session date set by sub1.

Any idea what might be causing this?

hmm this definately looks to be like your session is only valid for one subdomain.

what version of php ?

edit : using apache ? what version ?

from some googling it seems that lots of things can cause this - php config, things that harden security on the server, etc.

what you could do is generate a unique id in php, store this in a database, and use it across both domains, would skip the cookies out entirely

hmm this definately looks to be like your session is only valid for one subdomain.

what version of php ?

PHP Version 5.2.6

Here's my session config:


session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn Off Off
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain .example.com .example.com
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path no value no value
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0

edit : using apache ? what version ?

from some googling it seems that lots of things can cause this - php config, things that harden security on the server, etc.

what you could do is generate a unique id in php, store this in a database, and use it across both domains, would skip the cookies out entirely

Yes, Apache/2.2.8. I'm running Suhosin... Might that be causing it?

I don't have access to the code on one of my subdomains since it's encoded with Ioncube. Therefore I can't use any other coding tricks such as using a MySQL database.

yes, suhosin is definitely a suspect, as it tries to prevent cross site scripting, which is sorta what this is.

edit : suhosin.session.cryptdocroot < this is mentioned on http://bugs.php.net/bug.php?id=43682 , so its worth looking if this value is the cause.

yes, suhosin is definitely a suspect, as it tries to prevent cross site scripting, which is sorta what this is.

edit : suhosin.session.cryptdocroot < this is mentioned on http://bugs.php.net/bug.php?id=43682 , so its worth looking if this value is the cause.

Yes thanks I just figured it out. The suhosin.session.cryptdocroot (and possibly suhosin.cookie.cryptdocroot) features were causing this. Disabling them resolved my issue.

Thanks!