1

According to Allow php sessions to carry over to subdomains, there are 3 ways to allow PHP sessions across different subdomains.

  • php.ini: session.cookie_domain = ".example.com"
  • .htaccess: php_value session.cookie_domain .example.com
  • php script: ini_set('session.cookie_domain', '.example.com' );

(My web host does not allow modification of PHP via .htaccess so I tried the other 2 methods.)

However the session_regenerate_id(true); in my login.php conflicts with session.cookie_domain = ".example.com" in that after a header redirect, it empties the PHP session variable.

login.php

if (!isset($_SESSION)) { session_start(); }

// authentication codes...

session_regenerate_id(true);
$_SESSION['username'] = $username;
header('Location: redirect.php');
exit;

redirect.php

if (!isset($_SESSION)) { session_start(); }
var_dump($_SESSION); // returns array(0) { } if session.cookie_domain is set

I understand that using true in session_regenerate_id() would delete the old session, but it does not empty the session variable if session.cookie_domain is not set. Why is it so?

And the above 3 solutions do not work if I do not regenerate the session id, but doing so would result in session variable being emptied. Any idea how to solve this?

Community
  • 1
  • 1
Antony
  • 14,900
  • 10
  • 46
  • 74
  • I don't think your host would allow changing php.ini either, so you're basically left with `ini_set()` :) – Ja͢ck Jan 26 '13 at 16:54
  • Is your `login.php` missing a `session_start()` at the top? – Ja͢ck Jan 26 '13 at 16:55
  • @Jack I just called the host. They explicitly allowed me to work on php.ini. They just disabled some features in .htaccess only. – Antony Jan 26 '13 at 16:56
  • @Jack I have `session_start()` at the top of `login.php`. – Antony Jan 26 '13 at 16:56
  • put this at the top: `error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);` for better debugging – Patt Mehta Jan 26 '13 at 17:39
  • @GLESPrateekNina No errors found related to the current issue. – Antony Jan 26 '13 at 17:50
  • can you share the code snippet where you use session functions for the first time – Patt Mehta Jan 26 '13 at 17:51
  • @GLESPrateekNina Those session functions are scattered around every page of the website. So instead of looking up every session function, I tested it right after `$_SESSION['username'] = $username;`, before and just after `header('Location: redirect.php');`. The $_SESSION variable is good before the redirect. It is empty after `session_start()` in the redirected page. `if (!isset($_SESSION)) { session_start(); }` almost always precedes every page. – Antony Jan 26 '13 at 17:59

1 Answers1

1
<?php
session_start();
session_regenerate_id();
setcookie('session_id', session_id(), 0, '/', '.yourdomain.com');
if( !empty($_SESSION["user_logged_in"]) ){
header("Location: home.php");
} else {
header("Location: index.php");
}

Obviously setcookie is less secure, but if all three do not work for you that will help you out, you can use an additional session of the original domain or even store them in database if you want additional securuty along with setcookie option

Patt Mehta
  • 4,110
  • 1
  • 23
  • 47
  • 2
    Can you provide some explanation instead of only code? Thanks. – phant0m Jan 26 '13 at 16:52
  • To use cookie-based sessions, session_start() must be called before outputing anything to the browser. – Patt Mehta Jan 26 '13 at 16:55
  • @GLESPrateekNina I have `session_start()` at the top of `login.php`. – Antony Jan 26 '13 at 16:59
  • 1
    @GLESPrateekNina Alright the `setcookie` method would be a workaround, but it still doesn't explain what happened to the $_SESSION variable. I hope there is a $_SESSION solution though. – Antony Jan 26 '13 at 17:29
  • yeah, actually I'm trying different methods on wamp, but it is difficult to implement your situation in code, because my $_SESSION is not empty :) – Patt Mehta Jan 26 '13 at 17:32
  • it is very strange that sessions do not work on your web hosting, try to use curl to fetch the sessions from another person on that hosting – Patt Mehta Jan 26 '13 at 17:34
  • @GLESPrateekNina the $_SESSION is not empty in my localhost either, since I have no domain name to set in php.ini. This makes it hard for me to debug the code. – Antony Jan 26 '13 at 17:34
  • hmm, upvote my answer if it provides a solution, in the meanwhile I'll try other ways or may be even google it – Patt Mehta Jan 26 '13 at 17:35
  • 1
    @GLESPrateekNina I don't know who downvoted it, and it doesn't really answer the question, but I would upvote it for your continued effort. – Antony Jan 26 '13 at 17:38