0

I worked on a web tool that was great and working. I decided to change domain name, so I downloaded everything and uploaded everything on the new domain name.

My login system was really poor, but it worked as follows:

  • on domain.com/login.php you provide email/password and on the same page the system checks if they exist in the database.
  • If they do, all the information of the user are stored in $_SESSION
  • After that you have a redirect to client.domain.com
  • Here, if $_SESSION['username'] is set, you are ok. If not, you are redirected back to the login page

To keep the data between the subdomains, I placed this before assigning $_SESSION values:

ini_set("session.cookie_domain", "client.domain.com");
ini_set("session.cookie_domain", "mods.domain.com");
ini_set("session.cookie_domain", "domain.com");
ini_set("session.cookie_domain", "domain.com");
session_start();
$_SESSION['username'] = Other-code;

Of course, as I changed domain name, I changed "domain.com" with the new domain name.

Sadly, I noticed that it stopped working without any reason.. I already checked all the similar questions here, but even if I follow them and I do the things as I should.. $_SESSION is empty for the subdomain.

If you need any other info, let me know. Thanks in advance!

Nic
  • 81
  • 10
  • Possible duplicate of [PHP Sessions across sub domains](https://stackoverflow.com/questions/1064243/php-sessions-across-sub-domains) – Cemal Jan 21 '18 at 21:44
  • Someone is building their first XSFR script it seems – The Law Jan 21 '18 at 21:46
  • start with error reporting, then update your post to contain what the errors were, if any. – Funk Forty Niner Jan 21 '18 at 21:47
  • @FunkFortyNiner already tried. Any warning/error is shown if not notices for not defined indexes (for example I use $_SESSION['id'] to display some info) – Nic Jan 21 '18 at 21:48
  • *"My login system was really poor, but it worked as follows ``"* - Are you sure that there isn't relevance with the db code you're using? the servers' php versions, the api used... etc. this could be anything. If you say it used to work, then something went South somewhere. – Funk Forty Niner Jan 21 '18 at 21:50
  • @FunkFortyNiner no because if I run the login script IN the subdomain, everything is okay and I can use the session values everywhere. If I run the login script on the main website in the login page, I can't use it in subdomains. It is really strange because All i changed was the "domain.com" value – Nic Jan 21 '18 at 21:52
  • Yours doesn't contain the slash as per this example `session_set_cookie_params(0, '/', '.some_domain.com');` and most often times, they're required. Plus, if you already tried that, make sure that something isn't being cached, or the sessions/cookies haven't been deleted. If they're still in memory/cache somewhere, then that could be part of the problem. This could be just a silly little thing. – Funk Forty Niner Jan 21 '18 at 21:57
  • @FunkFortyNiner tried with session_set_cookie_params(0, '/', '.domain.com'); but nothing. And I am sure it is something silly... but It has been an hour now.. and everything is exactly the same it was on the previous domain. – Nic Jan 21 '18 at 22:00

1 Answers1

1

ini_set("display_errors","on") on first line to see if there are any errors.

Of the first 4 lines, remove these 3 lines

ini_set("session.cookie_domain", "client.domain.com");
ini_set("session.cookie_domain", "mods.domain.com");
ini_set("session.cookie_domain", "domain.com");

and change the last line to 

ini_set("session.cookie_domain", ".domain.com");

After login success and before login call session_regenerate_id() to change your session id. As suggested by jeroen in php-sessions-across-sub-domains you can also add the below 2 lines prior to session_start

$some_name = session_name("some_name");
session_set_cookie_params(0, '/', '.domain.com');

please keep in mind that if you are going to add the 2 line above, you also need to add them in your login page.

and as a final note, check if there's anything output to browser prior to session_start, if soyour setting for session will not be active and won't work

Cemal
  • 1,469
  • 1
  • 12
  • 19
  • Thanks for your help. Anyway, nothing changed. Once in the subdomain, this is the result of a var_dump on $_SESSION: array(0) { } – Nic Jan 21 '18 at 21:44
  • have you checked [php-sessions-across-sub-domains](https://stackoverflow.com/questions/1064243/php-sessions-across-sub-domains) – Cemal Jan 21 '18 at 21:48
  • tried, but nothing changed. $_SESSION is still empty – Nic Jan 21 '18 at 21:50
  • can you post your phpinfo on your question? – Cemal Jan 21 '18 at 21:51
  • I have edited my answer, can you try it now. P.S. please don't post sensitive data on pastebin for your own security. Nice template on your website though. me gusta ;) – Cemal Jan 21 '18 at 22:04
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/163602/discussion-between-nic-and-cemal). – Nic Jan 21 '18 at 22:09