Setting PHP session ONLY on subdomain FROM domain

Question

I got a system, where each client has their own subdomain. The users can log into the system directly from their own subdomain, but I want to add the opportunity to login directly from the domain, and afterwards send them to the subdomain. It is important that the session is only set on the actual subdomain, and not on any other subdomains or the main domain.

All login-processes are made through jQuery/AJAX.

I've tried the following:

On domain.com a user fills out the login-form, and a call is made to domain.com/ajax/front-login.php
From this AJAX-file the user is validated, the subdomain that the user belongs to is found, and a PHP POST-call (through file_get_contents) is made to subdomain.domain.com/ajax/sub-login.php. This file validates and sets a SESSION.
From the callback it looks like everything is done correctly, but the session is not set on subdomain.domain.com

I hope it makes sense. Any suggestions?

When you say the session is not set on the subdomain, how are you checking that? Are you just looking for the cookie in the browser? Or did you redirect to the subdomain and try to dump out the session? — Jeremy Harris, Oct 27 '16 at 12:27
i don't know if that's what you need but check this http://stackoverflow.com/questions/9153716/sharing-session-variables-between-multiple-subdomains — Antonios Tsimourtos, Oct 27 '16 at 12:28
@JeremyHarris If the session was set, the user would have access - the user has not and needs to login. — Christian Bundgaard, Oct 27 '16 at 12:38
@Tony If it works when targeting a specific subdomain it might work. — Christian Bundgaard, Oct 27 '16 at 12:38
Do you set the session on a subdomain.domain.com php file? EDIT: you set the session on sub-login.php as you said. So you set it in a sub-domain file. So the session is not saved on the sub-domain but to the domain? If that's the case maybe it has something to do with ajax — Antonios Tsimourtos, Oct 27 '16 at 12:40
Your 100% certain that the session starts in `sub-login.php`? with `session_start()`, check your session settings so that it doesn't auto start or starts in `front-login.php`, http://php.net/manual/en/session.configuration.php#ini.session.auto-start — Anuga, Oct 27 '16 at 15:02

Anuga · Answer 1 · 2016-10-31T11:33:18.183

0

Add ini_set('session.cookie_domain', $subdomain.'.domain.com'); to the beginning ofsubdomain.domain.com/ajax/sub-login.php, where you feed $subdomain with it's name.

Remove session_start() from front-login.php or atleast wrap it in a if () statement if there is no subdomain.

edited Oct 31 '16 at 11:33

answered Oct 27 '16 at 13:02

Anuga

2,619
1
18
27

can you add `front-login.php` and `sub-login.php` to the post? if it didn't work, the session must start before the `ini_set()`. – Anuga Oct 27 '16 at 15:06
So the ini_set needs to come before session_start()? – Christian Bundgaard Oct 27 '16 at 16:55
Just tested - no difference. First ini_set, then session_start(), then the session is set. But yeah, I have session_start() in front-login.php too, but how does that make a difference? – Christian Bundgaard Oct 27 '16 at 16:57
Then the session starts in `front-login.php` – Anuga Oct 27 '16 at 18:40

Setting PHP session ONLY on subdomain FROM domain

1 Answers1