Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : [PHP] Sessions over multiple subdomains

[ResellerPlanet]

Hello,

I'm trying to share login information (stored in sessions) between 2 subdomains, ie: sub1.example.com and sub2.example.com. Both subdomains are hosted on the same server.

I've tried several things (like using session_set_cookie_params() to set the cookie domain) and just using a custom php.ini, both to set the cookie domain of the session cookie to ".example.com".

On sub1.example.com I have a test script which sets a session (and displays it once it's been set on each page reload). This works fine. I get:

Quote:

PHPSESSID c6425dc25a99752d980caeac914f7e48

Array
(
[test] => test
)

Array
(
[lifetime] => 0
[path] => /
[domain] => .example.com
[secure] =>
[httponly] =>
)

This is what you get when I output the session name, session ID, below that the contents of $_SESSION and finally the result of session_get_cookie_params(). As you can see, the session is set.

Now when I run this exact same script on sub2.example.com, I get:

Quote:

PHPSESSID c6425dc25a99752d980caeac914f7e48

Array
(
)

Array
(
[lifetime] => 0
[path] => /
[domain] => .example.com
[secure] =>
[httponly] =>
)

As you can see, same session name/id so you'd think it would work, BUT the $_SESSION array is suddenly empty!

Now when I go back to sub1.example.com after visiting sub2.example.com, I notice that over there the $_SESSION variable is empty too.

Strange. First it's set on sub1, then I visit sub2 and it seems to reset the session instead of using the session date set by sub1.

Any idea what might be causing this?

[webcertain]

hmm this definately looks to be like your session is only valid for one subdomain.

what version of php ?

edit : using apache ? what version ?

from some googling it seems that lots of things can cause this - php config, things that harden security on the server, etc.

what you could do is generate a unique id in php, store this in a database, and use it across both domains, would skip the cookies out entirely

[ResellerPlanet]

Quote:

Originally Posted by webcertain

hmm this definately looks to be like your session is only valid for one subdomain.

what version of php ?

PHP Version 5.2.6

Here's my session config:

Quote:

session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn Off Off
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain .example.com .example.com
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path no value no value
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0

[ResellerPlanet]

Quote:

Originally Posted by webcertain

edit : using apache ? what version ?

from some googling it seems that lots of things can cause this - php config, things that harden security on the server, etc.

what you could do is generate a unique id in php, store this in a database, and use it across both domains, would skip the cookies out entirely

Yes, Apache/2.2.8. I'm running Suhosin... Might that be causing it?

I don't have access to the code on one of my subdomains since it's encoded with Ioncube. Therefore I can't use any other coding tricks such as using a MySQL database.

[webcertain]

yes, suhosin is definitely a suspect, as it tries to prevent cross site scripting, which is sorta what this is.

edit : suhosin.session.cryptdocroot < this is mentioned on http://bugs.php.net/bug.php?id=43682 , so its worth looking if this value is the cause.

[ResellerPlanet]

Quote:

Originally Posted by webcertain

yes, suhosin is definitely a suspect, as it tries to prevent cross site scripting, which is sorta what this is.

edit : suhosin.session.cryptdocroot < this is mentioned on http://bugs.php.net/bug.php?id=43682 , so its worth looking if this value is the cause.

Yes thanks I just figured it out. The suhosin.session.cryptdocroot (and possibly suhosin.cookie.cryptdocroot) features were causing this. Disabling them resolved my issue.

Thanks!