PHP cross subdomain session for subdomain on different server

Question

I have 3 domains:

member.example.com for centralizer login on SERVER1
news.example.com for news on SERVER1
video.example.com for videos on another server SERVER2

For cross sub domain sessions I'm using:

session_name('example');
session_set_cookie_params(0, '/', '.example.com');
session_start();

When a user logs onto member.example.com, all of the session data is available on news.example.com but not on video.example.com because it is on another server. The session id is the same on all subdomains, but since it's a different physical box, the session file is not there.

I'm looking for the best method to be able to share sessions across subdomains when the subdomains are hosted on different physical servers.

I know the approach of storing the data in a database, but wish to avoid this. I also know I can send encrypted session information in the URL for video.example.com, but I feel it is ugly, and I want to create a clean solution.

After traversing cookies, and other implementations, I explored the following scenario.

In members.example.com after successfully logging in, I tried to create a session for video.example.com by calling a session generation page on video.example.com using cURL. I tried using the following code (and passing the appropriate fields with cURL):

session_name('example');
session_set_cookie_params(0, '/', '.example.com');
session_start();
$_SESSION['id']=$_POST['id'];
$_SESSION['name']=$_POST['name'];
print_r($_SESSION)

In the cURL response I found these variables set for session but unfortunately a new session id was created for the cURL call. I tried to resolve this by the existing session ID, but it did not work.

I am aware of other options, but am specifically interested in this approach.

apart if you have a specific session storage, PHP session cannot be shared between servers. I think you should consider using a database or a key-value storage to store your session data... — RageZ, Dec 15 '11 at 09:03
Yes i know, for this cross server rule. But i want to create it by calling a php script on video.example.com, so it can be available there. — Asad kamran, Dec 15 '11 at 09:12
We were facing similar issues while moving our site from one server to many server. Though we moved to cookie and memcache based authentication. It is easier and essential as php session doesn't support cross server authentication. Having a good encryption key at your end and validation of cookie data is essential and also helpful further down the road when you will try to move your authentication process to https or on some other server. — ankur.singh, Dec 15 '11 at 09:17
It would be quite difficult since there are two different servers. You must update/create session on every server every time when you update/create session on one of servers. Sending session data across servers would be very inefficient. Do you really can't use database for session storage? — piotrekkr, Dec 15 '11 at 09:22
@ ankur.singh: Thank you for yr suggestion, I am trying to configure memcache for another reason(File Upload Progress). I read its not secure and we have to implement some security our-self , Can you provide some more help, so i can try memcache for this issue. — Asad kamran, Dec 15 '11 at 09:24
@piotrekkr, yes want to avoid db access, but if no solution i will use it as last available solution. Although its inefficient, insecure but can you help why a session variable not be set by calling from Server1 to a php script on SERVER2. — Asad kamran, Dec 15 '11 at 09:27
@Asadkamran In memcache , we can save data for given time so lets say ki you want user to get logout in 5 min inactive period you can set value login_uuid_of _user key to 1 for 300 sec. And at each activity of user check whether this key is set or not. If not set , you can assume ki some one is trying to forge this data or user isinactive from last 5 min. — ankur.singh, Dec 15 '11 at 09:36
The problem is that the session id is not the same. As far as I'm aware, without implementing your own session handler (and even then maybe not) you cannot choose a session id. Also, memcached is not inherently insecure. As long as access to it is controlled, it is secure. That's like saying MySQL is insecure. It can be, but is not necessarily. — Corbin, Dec 15 '11 at 09:37
Also as each user acitivity you can update this key expiry time. And you will get uuid of user from cookie. But make sure ki you are also using some cookie side encrytpion like one other cookie like auth_check=md5(uuid+salt) It will not completely secure your app but will be more than secure than any other known and easy solution. — ankur.singh, Dec 15 '11 at 09:40
@Corbin: when i print session_id(); on all sub domain it is same as i see ( As i mention above i use this at top ::session_name('example'); session_set_cookie_params(0, '/', '.example.com'); session_start(); :: so session is transferred to all sub domain on same server, but sub-domain on server 2 can only avail session id , not session data.) i verify using search method in browser and session ID is same for all sub domain. — Asad kamran, Dec 15 '11 at 10:42
@ankur.singh: Thanks for you help, i will try using memcache. — Asad kamran, Dec 15 '11 at 10:43

score 1 · Accepted Answer · answered Dec 15 '11 at 09:39

1

On both severs session id, session name, cookie params and other session settings must be the same. So you should send session_name(), session_id(), other session params and session data to video server. Then on video you create

session_name($_POST['name']);
session_set_cookie_params(0, '/', '.example.com');
session_id($_POST['id']);
session_start();
$_SESSION = array_merge($_SESSION, $_POST['session_data']);

try if it works.

answered Dec 15 '11 at 09:39

piotrekkr

2,785
2
21
35

Thanks for help, i already tried this, i hardcore session name as it is same for all sub-domain. But i will retry this as you suggest. I PUT This on ALL : session_name('example'); session_set_cookie_params(0, '/', '.example.com'); session_start(); $id=session_id(); // as i can see it return same id as on onther sumdomain – Asad kamran Dec 15 '11 at 10:52
That sets the name, not the id. You need to do as piotrekkr suggests and use session_id(id here). Note that it must be before session_start() – Corbin Dec 15 '11 at 11:08
@piotrekkr:Thanks it works now, although i already tried this, by passing hard coded session id before starting session, but may it was wrong or Old, anyway Thanks you very much. – Asad kamran Dec 17 '11 at 07:46
May it help some one else, My scenario was to implement SESSION on remote Server, I want to create a session on a sub domain on a REMOTE server, for this purpose: while logon on MEMBER sub-domain i invoke cURL Post call to remote Server page with session ID and other session values, and this page create it as intended. Code is as Follow: – Asad kamran Dec 17 '11 at 07:56
function vSess($url,$fields,$rt){ foreach($fields as $key=>$val){$field_str.= $key.'='.$val.'&';} rtrim($field_str,'&'); $ch = curl_init(); curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_POST,count($fields)); curl_setopt($ch,CURLOPT_POSTFIELDS,$field_str); if($rt==1){ curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $result = curl_exec($ch); curl_close($ch); return $result; }else{ curl_exec($ch); curl_close($ch); }} and Call it as follow after $f=array('sid'=>session_id(),'id'=>$_SESSION['v1'],'user'=>$_SESSION['v2']); vSess('http://www.videos.example.com/v_sess.php',$f,0); – Asad kamran Dec 17 '11 at 08:01
Sorry for removing comments in code, due to limited character for posting comments:// – Asad kamran Dec 17 '11 at 08:06
1

`CURLOPT_POSTFIELDS` can take array argument, curl will escape and join it for you when sending request. Check manual :) – piotrekkr Dec 18 '11 at 14:11

score 0 · Answer 2 · answered Aug 21 '17 at 10:36

Old question, possibly a new/better answer.

We use AWS with an autoscaling policy, so, as the load increases, we get more instances running our code.

To solve the session issue across multiple instances (they are load balanced), we use memcached.

PHP can be configured to use memcached as the session store relatively easily.

Having said that, Memcached may not be the most suitable store for sessions and in hindsight, something that is disk backed (Redis comes to mind) may be a better solution.

PHP cross subdomain session for subdomain on different server

2 Answers2