13

I am working with Cakephp and I have an issue maintaining session across subdomains. My problem is as follows:

  • Users login on 'localhost/login'
  • If authenticated they are redirected to 'customer.localhost/home'.

Currently Cake is creating a cookie for each domain ie localhost and customer.localhost. This means that I cannot keep the session working for the user. Is there a way to make all cookies domain fixed to the parent domain with the goal of keeping the session working across subdomains?

I have tried entering this in my bootstrap but it has no effect: ini_set('session.cookie_domain', '.localhost');

If you think this cannot be done please feel free to let me know so that I can move on from this frustrating problem.

Many thanks,

kSeudo

kSeudo
  • 619
  • 7
  • 23

2 Answers2

20

Sessions (CakePHP 2.x):

To make the session cookie valid for all your subdomains and the top level domain, you actually need to set it yourself in your APP/config/bootstrap.php file:

ini_set('session.cookie_domain', '.domain.com');

Then, in your APP/config/core.php file, set Security to low:

Configure::write('Security.level', 'low');

"otherwise the referer_check will be set to the current HTTP_HOST in the CakeSession object line 441."

Sessions (CakePHP 3.x)

The session cookie path defaults to app’s base path. To change this you can use the session.cookie_path ini value. For example if you want your session to persist across all subdomains you can do:

Configure::write('Session', [
    'defaults' => 'php',
    'ini' => [
        'session.cookie_path' => '/',
        'session.cookie_domain' => '.yourdomain.com'
    ]
]);

Cookies (CakePHP 2.x):

On this page it explains that you can use the 'domain' variable:

The domain name allowed to access the cookie. e.g. Use ‘.yourdomain.com’ to allow access from all your subdomains.

Per their example code:

<?php
public $components = array('Cookie');
public function beforeFilter() {
    parent::beforeFilter();
    $this->Cookie->name = 'baker_id';
    $this->Cookie->time =  3600;  // or '1 hour'
    $this->Cookie->path = '/bakers/preferences/';
    $this->Cookie->domain = 'example.com';
    $this->Cookie->secure = true;  // i.e. only sent if using secure HTTPS
    $this->Cookie->key = 'qSI232qs*&sXOw!';
    $this->Cookie->httpOnly = true;
}

Cookies (CakePHP 3.x):

Read here.

The domain that the cookie is available. To make the cookie available on all subdomains of example.com set domain to ‘.example.com’.

Dave
  • 28,833
  • 23
  • 113
  • 183
  • Thanks with your help, I eventually got it to work. One thing to remember do not try to do this with 'localhost' make sure you use a domain in your host like 'example.com'. – kSeudo May 11 '12 at 14:08
  • i just emptied the variable 'session.cookie_domain' in bootstrap.php for it to work for me in localhost. your answer did give me the hint to solution!! – Jigar Tank Sep 13 '14 at 19:19
  • @Dave I'm using cakephp v1.3 and i have done all changes as mentioned above it's working for session but not working for cookie, what can i do for cookie? – SaNdY Jun 03 '16 at 13:27
  • what about if cake version is 3? – afsane Apr 23 '18 at 11:16
  • I have multiple projects at same server host on different ports session getting mixed up, can I specify domain along with port? – alamnaryab Nov 21 '20 at 10:35
  • I don't see any option for specifying the port. You could prefix the keys with the port or something like that I suppose. Not secure, but might work depending on what you're looking to do. – Dave Nov 21 '20 at 15:03
1

There is a config in app/Config/core.php to change session cookie domain:

Configure::write('Session', array(
    'defaults' => 'php',
    'ini' => array(
        'cookie_domain' => '.example.com'
    )
));
majna
  • 13
  • 3