3

i've a problem with session on my multi-domain website.

In fact, i've :

  • www.website.com

and

  • my-account.website.com

In the php.ini, i've set : session.cookie_domain = ".website.com"

I check if it correctly change with phpinfo(); and it's ok, i've well the same value for both website (domaine and sub-domain) :

  • the same session.cookie_domain, session.save_path, session.cookie_path.

  • session.cookie_lifetime = 0 and session.cookie_secure is off

Well, now, when i try some test :

  • Define a session_name on www.website.com, start the session, define un session value like $_SESSION["test"] = "myvalue"; and i display the session_id.
  • Go to my-account.website.com and open the session with the same session name, i check the session id and i found the same id with www.website.com, but i have lost the session value that i defined. S_SESSION["test"] is lost.

Conclusion, the session id is kept, but sessions values are lost.

Any idea ? I have check to change with session_set_cookie_params(0, '/', '.website.com'); on each website. And also try to use the htaccess php_value session.cookie_domain ".website.com"

HELP, THAT MADE ME CRAZY.

Jérémy Fuertes
  • 31
  • 4
  • Does your hosting environment uses the [suhoshin patchset](http://www.hardened-php.net/suhosin/)? It could be used to encrypt the session values with (among others) the domain they are coming from, so one domain can't read other domain's cookies. (useful in shared hosting) – complex857 Nov 20 '12 at 10:29
  • I'm not on a shared hosting, but on a OVH private server, Debian 6 with Apache. But it's very strange because i've worked on the sharing session between sub-domain 3 month ago and that worked fine, but when i worked on it again 1 week ago, nothing work :/ Reboot et relaunch apache and server solve anything. – Jérémy Fuertes Nov 20 '12 at 10:40
  • `phpinfo()` tells you if you got sushoshin or not, but if my memory serves me right the default php install on debian includes it. Check [this answer](http://stackoverflow.com/a/11657470/1515540) it might help. – complex857 Nov 20 '12 at 10:43
  • Ok i try to turn of sushoshin with `php_value suhosin.session.cryptdocroot off` on any .htaccess. session_set_cookie_params(0, '/', '.website.com'); session_start(); echo session_id().'
    '; echo $_SESSION["test"]; I define TEST on my-account.website.com i try to display it here. Session_ID are the same, but TEST is lost on www.website.com.     – Jérémy Fuertes Nov 20 '12 at 10:52
  • Suhosin has nothing to do with this. If it did - you wouldn't get the same session ID as that is the only thing contained in the session cookie. What's your session.save_path? – Narf Nov 20 '12 at 10:58
  • my `session.cookie_path` is `/` – Jérémy Fuertes Nov 20 '12 at 11:33

1 Answers1

0

After unsuccessfull search, i have re-install apache2 on my Debian. The problem was solved and session values are shared successfully.

I think my apache2 was corrupted by a plugin installation 2 month ago.

Jérémy Fuertes
  • 31
  • 4