1

I need to share PHP sessions between multiple servers. However, I'm not sure how to maintain the session ID created on one server and how to pass it to the next server.

Essentially, a client can upload a file, but which server the file is sent to depends on which server is not overloaded.

For example, session_start() is called on test.com

An AJAX post is sent to serv1.test.com. When I call session_start() on serv1.test.com, I want it to pull the existing session information that was created by session_start() on test.com. However, that doesn't seem to be the way PHP sessions work?

I installed Memcached and followed this guide here:

https://www.digitalocean.com/community/tutorials/how-to-share-php-sessions-on-multiple-memcached-servers-on-ubuntu-14-04

I have one centralized memcache server that test.com and serv1.test.com are configured to use. However, session_start() creates a unique session on each server instead of reusing the same session. If I send the PHPSESSIONID to each server, then I can load the existing session.

How do I accomplish what I'm trying to do? I could send the PHPSESSIONID as a variable in the AJAX POST, but isn't that a security risk? That is something that could be changed by the user...

How do I get serv1.test.com to continue to use the same session set on test.com? How do I pass that session ID to serv1.test.com securely so I can use session_id("existingsessionid_from_test.com") to open the existing session?

OwN
  • 1,248
  • 12
  • 17
  • Client with cookies enabled will always send the session cookie back to the server. I believe in your case it will also send to the sub domain if the cookie parameters are set correctly. If you use a centralized session storage and you have configured that correctly on both servers, you don't have to do anything fancy (eg. session id post with ajax). – frz3993 Oct 30 '15 at 18:45
  • Each server is running nginx with php5-fpm. The php.ini file is configured to use memcached and uses the IP address of the memcached server for session.save_path. Each server is storing its sessions on the memcached server, but requests from the root domain test.com and requests from serv1.test.com do not result in the same session_id / cookie being sent. I configured the cookie domain to be .test.com on each server, but that also didn't make a difference. A call to test.com/set_session.php and then a call to serv1.test.com/get_session.php does not return anything - session ids are different. – OwN Oct 30 '15 at 19:15
  • test.com is on a different server than serv1.test.com --- DNS is configured to send requests to the proper server. Does this have something to do with why the session ids are different even though each server is using the same session configuration? How would I get both servers to generate the same Id on session start since they both save their sessions on the same memcached instance? – OwN Oct 30 '15 at 19:18
  • Have you set the session cookie to be available to the subdomain? `session_start()` will generate new id if none is available. See this [link]http://stackoverflow.com/questions/644920/allow-php-sessions-to-carry-over-to-subdomains – frz3993 Oct 30 '15 at 19:21
  • Yep, this worked once set session.cookie_domain = ".example.com" --- Sessions are now shared as I imagined... Thank you so much! This was driving me insane! – OwN Oct 30 '15 at 19:33
  • You're welcome, happy coding. – frz3993 Oct 30 '15 at 19:35

1 Answers1

0

The solution was to set the session.cookie_domain to include subdomains.

session.cookie_domain = ".test.com"

Thanks frz3993

OwN
  • 1,248
  • 12
  • 17