79

I use PHP sessions (not cookies, except for session id cookie) for all user data, and when a user goes to their profile user.mydomain.example they are immediately "logged out" until then remove the subdomain.

Is there a way to accept sessions from all domains as long as its *.mydomain.example

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Anthony
  • 2,183
  • 3
  • 16
  • 7
  • 1
    First, `ini_set('session.cookie_domain', '.example.com')`, *then* `session_start()` or `Session::start()` from https://github.com/delight-im/PHP-Cookie – caw Jul 12 '16 at 23:49

10 Answers10

98

Here are 4 options.

Place this in your php.ini:

session.cookie_domain = ".example.com"

Or in your .htaccess:

php_value session.cookie_domain .example.com

Or as the first thing in your script:

ini_set('session.cookie_domain', '.example.com' );

Or in your php-fpm pool configuration for your site:

php_value[session.cookie_domain] = .example.com
Lidor
  • 394
  • 9
  • 16
CTT
  • 16,901
  • 6
  • 41
  • 37
  • 2
    Unfortunately all 3 failed to work, does there need to be a star * ? – Anthony Mar 14 '09 at 00:11
  • 2
    Very strange, I've used the those methods before and they work fine. Do you by chance have Suhosin installed, I remember there be a setting that needed to be changed to allow this? If you don't, can you post more info about your install (eg. apache, lighttpd, php version)? – CTT Mar 14 '09 at 00:25
  • some packages come with Suhosin on it. `php -i | grep -i 'Suhosin'` to see if it's there – Stephen Fuhry Dec 29 '11 at 20:17
  • i had disabled suhosin, etc etc, everything on every board everywhere, my answer below was all that i could get to work. i checked my phpinfo and all, the domain was set, suhosin encryption off, and it still was regenerating a new session id every time i'd enter a new subdomain. – sucitivel Feb 24 '12 at 16:17
  • 4
    @CTT please add a forth option to your answer: `session_set_cookie_params(0, '/', 'example.com', false, false);` – Sacred Socks Jun 05 '12 at 09:05
  • 8
    Dont forget to actually close the browser then open it again. Otherwise your going to go in circles! .. i did – AndrewC May 08 '13 at 16:11
  • 9
    Another reminder for dumb people like me: make sure `ini_set('session.cookie_domain', '.example.com');` comes _before_ `session_start();` – Ben Y Sep 21 '13 at 00:25
  • 1
    Remember to clear our the previous session before trying these by restarting Apache. – The Unknown Dev Jan 23 '17 at 18:14
  • ini_set('session.cookie_domain', '.example.com' ); this one worked for me. Thanks. – NightOwl Jun 26 '18 at 05:06
  • IMPORTANT: If you have a different php versions running on main site and other version on "subdomain" - NOTHING OF THIS WILL WORK ! I've spent 4hours debugging php sessions and then I've realized that main domain was running on php 7.1 and subdomain was on 5.6... so if above solutions doesn't work and no error is thrown- CHECK PHP VERSION ! ...also check session.save_path they must match for main site and subdomain ! – Peter Aug 11 '19 at 23:28
  • Adding to this: if you call your PHP script that handles the sessions from a single page application you have to add: header("Access-Control-Allow-Credentials: true"); and set withCredentials: true for the xhrFields when making a request; more here: https://stackoverflow.com/questions/13002038/setting-a-cookie-on-a-subdomain-from-an-ajax-request – flashback Nov 04 '21 at 12:28
13
        if(isset($_COOKIE['session_id']))
            session_id($_COOKIE['session_id']);
        Zend_Session::start(); //or session_start();
        if(!isset($_COOKIE['session_id']))
            setcookie('session_id', session_id(), 0, '/', '.yourdomain.example');

security be damned, if you are as frustrated with incomplete or bad answers as I am, this is your savior. It just works.

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
sucitivel
  • 510
  • 3
  • 10
  • 3
    this worked for me, but I don't understand the security issue. Would you mind explaining what security issues might be there? – Neo Oct 17 '17 at 05:38
6

change the session name at the top of the core functions file like

 session_name('mysession');

then use the following code into the php page

  session_set_cookie_params(0,"/",".example.com",FALSE,FALSE);
  setcookie(session_name(), session_id(),0,"/","example.com");
  session_start();

finally change the default session name of the subdomain and remove the default cookie in subdomain's core functions file like:

 /*default session name*/
 session_name("mysession");
 /*remove the PHPSESSID and default session name from subdomain's cookie*/
 setcookie( "mysession", "",1,"/" );
 setcookie( "PHPSESSID", "",1,"/" );

if you continue with using your cookie name as PHPSESSID ,just remove all the functions with 

 "mysession" string like session_name('mysession'), setcookie( "mysession", "",1,"/" );

then check your browser's existing cookies, just remove all the cookies of domain and subdomain, and repeat the process.

Karthikeyan Ganesan
  • 1,901
  • 20
  • 23
4

I know this is quite old - but to further expand on @CTT's suggestion - I needed to add a php.ini file in each sub-directory (that will be executing php code and requires the session) of my subdomain with the following text:

suhosin.session.cryptdocroot=Off
suhosin.cookie.cryptdocroot=Off

I hope this helps (it took me ages to figure this out).

joeldixon66
  • 950
  • 8
  • 13
  • This one is evil, been debugging for 2 hours now, as session sharing been working fine on my local environment. should have checked suhosin settings earlier – weyandch Apr 27 '14 at 23:09
4

Another option that worked for me: is to force the name of the session: 

session_name("myWebsite");
session_start();
benka
  • 4,732
  • 35
  • 47
  • 58
Laurent Duvergé
  • 549
  • 5
  • 8
4

yes. ini_set is working. but remember to destroy all caches and cookies of the browser to see it works.

  1. destroy all caches and cookies of your browser

  2. in your xxx.example.com and yyy.example.com, your php files should start like this. 

    ini_set('session.cookie_domain', '.example.com' ); session_start();
techraf
  • 64,883
  • 27
  • 193
  • 198
Wikum Ekanayake
  • 121
  • 1
  • 3
0

I just had this problem and it turns out I was using different php.ini files for two different sub-domains. These ini files specified different session.save_path variables. For obvious reasons this needs to be the same for all sub-domains that need to share sessions.

Mike
  • 23,542
  • 14
  • 76
  • 87
0

Try This:

session_start();

$sessionId =  session_id();

logged the user. When user will switch to other subdomain sent the session id in the URL like this user.mydomain.example/?id=$sessionId

$sessionId =  $_GET['id'];

session_start($sessionId);

Now the user will get all the session values and stay logged in.

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
abrar
  • 480
  • 7
  • 10
0

Before session_start() use session_set_cookie_params() replacing .domain.example with your domain like this example:

session_set_cookie_params(0, '/', '.domain.example');
session_start();
Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Marco Concas
  • 1,665
  • 20
  • 25
-3
if(isset($_COOKIE['session_id']))
    session_id($_COOKIE['session_id']);
    Zend_Session::start(); //or session_start();

    if(!isset($_COOKIE['session_id']))
        setcookie('session_id', session_id(), 0, '/', '.yourdomain.example');

This is a good solution, but you cannot use it in all situations. For examples it will not work when you cannot rely on not-session cookies.

This actually MUST work if you use it correctly.

ini_set('session.cookie_domain', '.example.com' );

For example you need to put it before session_start() and also in all files that call session_start()

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
user1966103
  • 9