PHP Sessions across sub domains

Question

I am trying to set up the following:

auth.example.com
sub1.example.com
sub2.example.com

If the user visits sub1.example.com or sub2.example.com and they are not logged in, they get redirected over to auth.example.com and can log in.

sub1.example.com and sub2.example.com are two separate applications but use the same credentials.

I tried setting the following in my php.ini:

session.cookie_domain = ".example.com"

but it doesn't seem to be passing the information from one domain to the other.

[Edit]

I tried the following:

sub1.example.com/test.php

session_set_cookie_params(0, '/', '.example.com');
session_start();
print session_id() . "<br>";
$_SESSION['Regsitered'] = 1;
echo '<a href="http://auth.example.com/test.php">Change Sites</a>'

auth.example.com/test.php

session_set_cookie_params(0, '/', '.example.com');
session_start();
print session_id() . "<br>";
$_SESSION['Checked'] = 1;
print_r($_SESSION);

The session IDs are exactly the same but when I dump out the $_SESSION variable it doesn't show both keys, just whatever key I set under each domain.

I have almost the same setup (I set the session cookie domain with a call to "session_set_cookie_params") and it works fine. — Milen A. Radev, Jun 30 '09 at 15:25
You have to enable it in your code as well, see [http://us2.php.net/manual/en/function.session-set-cookie-params.php](http://us2.php.net/manual/en/function.session-set-cookie-params.php) — Residuum, Jun 30 '09 at 15:18
Here is nice function that works http://stackoverflow.com/questions/2835486/php-session-shared-with-subdomain/17638102#17638102 — boksiora, Jul 14 '13 at 09:25

score 145 · Answer 1 · edited Aug 02 '19 at 22:18

145

I do not know if the problem still exists, but I just ran into the same problem and solved it setting a session name before calling session_set_cookie_params():

$some_name = session_name("some_name");
session_set_cookie_params(0, '/', '.example.com');
session_start();

I have changed nothing in my php.ini but now everything is working fine.

edited Aug 02 '19 at 22:18

Patrick Mevzek

10,995
16
38
54

answered Sep 22 '09 at 00:35

jeroen

91,079
21
114
132

10

I confirm, it solves the problem. I tired to get my answer there: http://stackoverflow.com/questions/4948340/how-to-pass-session-variable-to-a-page-in-the-parent-directory. But I found it here. – Roman Feb 10 '11 at 17:04
5

Works perfect! Been looking for ages for this. It was the `$some_name = session_name("some_name");` that did it. Thank you and upvote. – Kit Mar 17 '11 at 12:19
4

Adding `session_name("domain");` was the missing ingredient for me as well. The documentation on php.net regarding these session settings are lacking. There are community posts on php.net that indicate session.name needs to be defined before changes to session_set_cookie_params() can be applied. – David Carroll Jul 03 '11 at 07:28
3

yep. confirmed. nice one was going around in circles for ages there ;) – Daithí Jan 15 '12 at 20:46
1

NOTE... had to close my browser and restart in order to get it to work on the life server. Leave out any `ini_set("session.cookie_domain", ".domain.com");` cause this was causing it to create new session id with every refresh. – Daithí Jan 15 '12 at 21:30
1

session_name() was not needed for me in a case where the cookie_domain was set to ".domain.com" from the beginning (of using the website). As I see it, what it does is getting around the problem that a user already has a PHPSESSID (standard session name) cookie stored for the subdomains, so even if I come from another subdomain with a new ".domain.com" cookie, my already stored "sub.domain.com" cookie is used instead. Setting a different session name discards those old cookies. – Jānis Elmeris Jul 10 '13 at 17:16
1

Please note that the domain needs to contain *at least one dot*. For example, `session_set_cookie_params(0, '/', '.local');` does not work, whereas `session_set_cookie_params(0, '/', '.domain.local');` does. – Olav Aug 11 '13 at 14:23
1

+1 Worked straight out of the box and solved my problem of having a user logged in and then changing the language (which uses subdomains i.e. fr.mysite.com, de.mysite.com). – imperium2335 Jan 25 '14 at 14:30
@jeroen i also uploaded my website at a subdomain.. its domain is www.agicent.com,but my main files are at...ibuildmart.agicent.com/cms. Could please help me.Here sesion is not working.i am into this problem from many days. – Abhishek May 29 '14 at 04:50
1

It worked for me too and solved the problem, feeling miracle. – Homnath Bagale Apr 23 '15 at 09:45
1

This helped me sort out another problem. session array was cleared between pages so doing this actually made them variables stay where they're supposed to be. Thank you for the effort. A real life saver! – MDChaara Jan 17 '16 at 13:21
note: I had problem using "." character in session_name. There were no errors but session was empty each time, so try to change session name if it is not working :) – Buksy Mar 29 '16 at 08:31
1

Adding to this: if you call your PHP script that handles the sessions from a single page application you have to add: header("Access-Control-Allow-Credentials: true"); and set withCredentials: true for the xhrFields when making a request; more here: https://stackoverflow.com/questions/13002038/setting-a-cookie-on-a-subdomain-from-an-ajax-request – flashback Nov 04 '21 at 12:32

score 24 · Answer 2 · edited Aug 02 '19 at 22:17

One thing which can mysteriously prevent session data being read on a subdomain, despite cookies being correctly set to .example.com is the PHP Suhosin patch. You can have everything configured correctly, as per the examples in the question, and it can just not work.

Turn the following Suhosin session settings off, and you're back in business:

suhosin.session.cryptua = Off 
suhosin.session.cryptdocroot = Off

score 5 · Answer 3 · edited Dec 11 '22 at 22:33

5

Try using:

session.cookie_domain = "example.com"

Instead of:

session.cookie_domain = ".example.com"

Note the missing period at the beginning.

edited Dec 11 '22 at 22:33

Syed M. Sannan

1,061
2
9
28

answered Jun 30 '09 at 15:17

George Claghorn

26,261
3
48
48

9

Which browsers are not supported? – gawpertron Feb 16 '11 at 19:09
11

what browser support has to to here? this is a server side action. – Kuf Oct 20 '14 at 17:45
For future readers, make sure to restart your php too, not only apache/nginx after this. – Beyondo Apr 15 '23 at 07:17

Valentin Florea · Answer 4 · 2013-12-09T11:10:55.977

Had this exact problem - I wanted session values created on x.example.local to be available on example.local and vice-versa.

All solutions I found said to change the Session domain by using php_value session.cookie_domain .example.local in .htaccess (or via php.ini or via ini_set).

The catch was I was setting the session.cookie_domain for all subdomains (so far ok) but also for the main domain. Setting the session.cookie_domain on the main domain is apparently a no-no.

Basically the way it worked for me:

set the session.cookie_domain for ALL SUBDOMAINS.
don't set it for the main DOMAIN

Oh yes, please make sure the domain has a TLD (in my case .local). Http protocol doesn't allow cookies/sessions to be stored on a domain without .tld (ie localhost won't work, but stuff.localhost will).

EDIT: Also make sure you always clear your browser cookies while testing/debugging sessions across subdomains. If you don't, your browser will always send the old session cookie which probably doesn't have the correct cookie_domain set yet. The server will revive the old session and therefore you'll get false negative results. (in many posts it's mentioned to use session_name('stuff') for the exact same effect)

score 3 · Answer 5 · edited Aug 02 '19 at 22:16

3

I solved it like this

ini_set('session.cookie_domain', '.testdomain.example');
session_start();

Because I was working on localhost

ini_set('session.cookie_domain', '.localhost');

wasn't working, it sees .localhost as the toplevel instead of .com/.local/... (I suspect)

edited Aug 02 '19 at 22:16

Patrick Mevzek

10,995
16
38
54

answered Apr 12 '12 at 17:27

xtds

2,453
2
19
12

Also fixed it for my machine - Ubuntu 14.04 – dennis Feb 01 '15 at 10:41

score 3 · Answer 6 · edited Oct 24 '19 at 22:12

I have confirmed. joreon's answer is correct. I cannot comment because my reputation is not enough so I post my comment here.

Define the constant in a config file. If you want to change it, no need to modify whole files.

define('ROOT_DOMAIN',   'mysite.example');
define('PHP_SESSION_NAME', 'MYSITE');

The session name can't consist of digits only, at least one letter must be present. Otherwise, a new session id is generated every time.

Use the following code to start using session

session_name(PHP_SESSION_NAME);
session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
session_start();

I'm using this function:

function load_session() {
    if (session_status() == PHP_SESSION_NONE) {
        session_name(PHP_SESSION_NAME);
        session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
        session_start();
    } elseif (session_name() != PHP_SESSION_NAME) {
        session_destroy();
        session_name(PHP_SESSION_NAME);
        session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
        session_start();
    }
}
load_session(); // put it in anywhere you want to use session

score 1 · Answer 7 · edited Aug 02 '19 at 22:14

Sub domain and root domain Cookie Sessions Combined Use

Resource: http://php.net//manual/tr/function.session-set-cookie-params.php

I've tested works

sub.example.com/sessionadd.php?id=123

example.com/sessionview.php // 123

-- Codes

<?php 
$currentCookieParams = session_get_cookie_params(); 

$rootDomain = '.example.com'; 

session_set_cookie_params( 
    $currentCookieParams["lifetime"], 
    $currentCookieParams["path"], 
    $rootDomain, 
    $currentCookieParams["secure"], 
    $currentCookieParams["httponly"] 
); 

session_name('mysessionname'); 
session_start(); 

setcookie($cookieName, $cookieValue, time() + 3600, '/', $rootDomain); 
?>

score 1 · Answer 8 · edited Dec 10 '12 at 16:25

1

Use this , it works:

ini_set('session.cookie_domain', 
    substr($_SERVER['SERVER_NAME'],strpos($_SERVER['SERVER_NAME'],"."),100));

edited Dec 10 '12 at 16:25

dove

20,469
14
82
108

answered Oct 05 '10 at 20:22

Ivan

11
1

this looks like its setting the cookie for the tld...or am i missing something? – chacham15 Jan 20 '15 at 23:58

score 0 · Answer 9 · answered Jun 30 '09 at 15:18

0

I get the idea that you don't want something like OpenID, like Joel is suggesting, but that you want to have access to the session data across multiple domains.

The only possibility that I can think of as a solution for that problem is to store the sessiondata in a database, and pull it out of that database.

answered Jun 30 '09 at 15:18

Thomas

4,889
4
24
19

Right, while authentication is a part of what I want to do, I'm also interested in the session data that gets stored while the user is working. – dragonmantank Jun 30 '09 at 18:47

score 0 · Answer 10 · edited Aug 02 '19 at 22:15

I have read all answers above, I think my answer is helpful for people googling this:

make sure the browsers send session cookie back to servers (of domain and sub-domains), set session cookie domain as .example.com.
Make sure PHP find the right "target" to restore the session variable:
- If domain and subdomains point to the same machine (maybe different virtual hosts), make sure session_save_path is the same for all (I tested)
- If domain and subdomains point to different machines, the common storage (like database) is best for saving and restoring session data (I didn't test yet). Use session_set_save_handler to do that.

score 0 · Answer 11 · edited Aug 02 '19 at 22:14

0

Simply try using following code just above session_start() method

$sess_life_time = 21600; //in seconds
$sess_path = "/";
$sess_domain = ".example.com";
$sess_secure = true; // if you have secured session
$sess_httponly = true; // httponly flag

session_set_cookie_params($sess_life_time, $sess_path, $sess_domain, $sess_secure, $sess_httponly);

edited Aug 02 '19 at 22:14

Patrick Mevzek

10,995
16
38
54

answered Jul 09 '14 at 10:50

mohsin.mr

498
1
6
21

score 0 · Answer 12 · edited Jul 26 '16 at 20:23

0

I had a similar problem, however, this solution was good for me, perhaps will help others in the future

edit the php.ini

session.cookie_domain = ".example.com"

the magic is here

suhosin.session.cryptdocroot = Off

suhosin.cookie.cryptdocroot = Off

https://www.sitepoint.com/community/t/sessions-across-subdomains-domain-com-phpsessid-changes/3013/19

edited Jul 26 '16 at 20:23

Vic

21,473
11
76
97

answered Jul 26 '16 at 19:06

Willian Santana

41
4

score 0 · Answer 13 · edited Aug 02 '19 at 22:13

I can't speak for other versions of PHP, but in 5.6.6, simply setting the session.cookie_domain value in the php.ini file did the trick to allow all of my subdomains on iPage to share the same set of session variables.

Be sure to remove any existing cookies related to your domain from your browser to test.

session.cookie_domain = '.yourdomainname.example'

Oh, don't know if it makes any difference but I'm also using session autostart.

session.auto_start = 1

score 0 · Answer 14 · answered Apr 13 '20 at 20:32

0

Use :

session_name("put_a_session_name");
session_start([
  "cookie_domain" => ".example.com",
  "cookie_path" => "/"
]);

answered Apr 13 '20 at 20:32

Shakil Ahmmed

108
6

score 0 · Answer 15 · edited Aug 02 '19 at 22:17

I know this is old but this works fine for me with multiple domains and sub domains on the same box.

<?php
define('site_domain','example.com');
session_set_save_handler('_open',
                         '_close',
                         '_read',
                         '_write',
                         '_destroy',
                         '_clean');

function _open(){

    global $_sess_db;

$db_user = 'user';
$db_pass = 'pass';
$db_host = 'localhost';

if ($_sess_db = mysql_connect($db_host, $db_user, $db_pass)){

    return mysql_select_db('database', $_sess_db);

}

return false;

}

function _close(){

    global $_sess_db;
    return mysql_close($_sess_db);

}

function _read($id){

    global $_sess_db;
    $id = mysql_real_escape_string($id);
    $domain = mysql_real_escape_string(site_domain);
    $agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT']));

    $sql = "SELECT data
    FROM sessions
    WHERE id = '$id' AND domain = '$domain' AND agent = '$agent'";

     if ($result = mysql_query($sql, $_sess_db)){

         if (mysql_num_rows($result)){
             $record = mysql_fetch_assoc($result);
             return $record['data'];
        }

    }

    return '';

}

function _write($id, $data){

    global $_sess_db;
    $access = time();

    $id = mysql_real_escape_string($id);
    $access = mysql_real_escape_string($access);
    $data = mysql_real_escape_string($data);
    $domain = mysql_real_escape_string(site_domain);
    $agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT']));

    $sql = "REPLACE INTO sessions
    VALUES ('$id', '$access', '$data', '$domain', '$agent')";

    return mysql_query($sql, $_sess_db);

}

function _destroy($id){

    global $_sess_db;
    $id = mysql_real_escape_string($id);
    $domain = mysql_real_escape_string(site_domain);
    $agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT']));

    $sql = "DELETE FROM sessions
    WHERE id = '$id' AND domain = '$domain' AND agent = '$agent'";

    return mysql_query($sql, $_sess_db);

}

function _clean($max){

    global $_sess_db;
    $old = time() - $max;
    $old = mysql_real_escape_string($old);
    $domain = mysql_real_escape_string(site_domain);
    $agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT']));

    $sql = "DELETE FROM sessions
    WHERE  access < '$old' AND domain = '$domain' AND agent = '$agent'";

    return mysql_query($sql, $_sess_db);

}

?>

What question are you answering? And how does this improve/enhance on the 9 other answers? — random_user_name, Oct 28 '12 at 21:20

score -2 · Answer 16 · edited Aug 02 '19 at 22:18

-2

A quick and dirty solution is to use this for your redirect:

header( $url.'?'.session_name().'='.session_id() );

this will add something along the lines of ?PHPSESSID=etnm7kbuf5lg0r6tv7je6ehtn4 to the URL, which tells PHP the session id it should use.

edited Aug 02 '19 at 22:18

Patrick Mevzek

10,995
16
38
54

answered Jun 30 '09 at 18:58

sakabako

1,150
7
14

3

It also leaves it highly vulnerable to session theft :) The problem isn't with the session IDs not matching (they are, see my updated post), but with the data not moving between the domains. – dragonmantank Jun 30 '09 at 19:08
Agreed, this is highly vulnerable leaving session ID in the query string. – Ian Jamieson Feb 18 '13 at 10:02
4

Cookies are also sent as plain text, this does not open any avenues that were not already open. I'm not saying it's a good solution, but it is no less secure than using cookies. – sakabako Mar 01 '13 at 19:48
1

It is less secure in the sense that users may be (tricked into) sharing their URL and thus share their active session ID. It is much less likely that a user will share their session ID cookie unwittingly. – Bastiaan ten Klooster Oct 09 '17 at 09:33

PHP Sessions across sub domains

16 Answers16

Linked

Related