0

I have been working on converting my websites session information over from flatfiles to database sessions for a variety of reasons, the main reason being I use the same database of users for both the Administration panel and user panels.

The administration panel is set on a subdomain of our main domain, i.e;

domain.com staff.domain.com

Both of the domains use the exact same session handler, however when it comes to actually creating the session on the sub-domain and normal domain, two different session_ids are created for the same computer / person.

Is this behavior normal? Is there a way I can make it so logging in the User Panel will also allow me to use the staff panel without logging in as the session is already created?

Thank you

Jake Ball
  • 798
  • 2
  • 8
  • 26

4 Answers4

2

From your PHP script you can set :

ini_set('session.cookie_domain', '.domain.tld');

In order to share the session accross subdomains.

The fact that you store sessions into DB shouldn't have to do with this capability directly, since i assume you're using a class to wrap the session read/write functionality thanks to something like session_set_save_handler.

darma
  • 4,687
  • 1
  • 24
  • 25
1

I assume you're using cookies to transport the session id. The cookie will not get passed to the other part of the website because it is on a different (sub) domain. Thefore PHP generates a new session id.

However, if you manage that both parts have the same session-name and you manage to pass the session-id, then everything should just work.

You can for example create a special script that accepts the session id as parameter and you then take over that session data.

But be careful here so that this can not be easily misused to steal sessions. So probably using a cookie that works for both sites might be a more simple solution.

hakre
  • 193,403
  • 52
  • 435
  • 836
  • Hello, If I am following correctly, in order for me to be able to do this I am going to have to use cookies, have the cookies name something like "login-id" which would then contain an encrypted session_id? Thanks! – Jake Ball Aug 16 '12 at 18:05
  • 1
    @JakeBall: You are already using cookies as the mechanism for transporting session ids. What you need to do is make sure the cookies apply to both subdomains. – Jon Aug 16 '12 at 18:11
  • @Jon thank you, I have always put sessions behind me as I find them very confusing, that alongside cookies. I will take all the advice into consideration, have a good read of the documentation for the appropriate functions and have a crack at this again. Thank you! – Jake Ball Aug 16 '12 at 18:13
  • 1
    @JakeBall: I posted a possible duplicate above of which I think is about the session cookie (and related potential issues to configure that). For the cookies, I suggest you just go to your session-site and then learn about the feature of your browser to show you all the cookies. That should give you some important insight. You can also track the network traffic and see the cookies passed around in requests and responses. You sure can even inject session cookies your own which then would be probably more save :) Also don't forget to regenerate the session id at important points. – hakre Aug 16 '12 at 18:13
1

You need to call session_set_cookie_params and set the domain for the session cookies appropriately before starting the session in each case. The documentation describes exactly what needs to be done.

Jon
  • 428,835
  • 81
  • 738
  • 806
0

If you are using cookies to store the session ID, then you need to make sure you are setting your cookies with a subdomain wildcard value. That is by default, PHP sets cookies by using the full subdomain and domain names (i.e. the cookie domain is 'www.domain.com'). If you set the cookies with domain of '.domain.com'. The cookie will be readable by all subdomains to 'domain.com'.

Mike Brant
  • 70,514
  • 10
  • 99
  • 103