Sharing SESSION Variables Between Multiple Subdomains

Question

I have a website www.example.com. That will have multiple subdomains that work with a single application or program. For an example, login.example.com will allow the user to log in to the site while system.example.com will allow the user to access an information system, while forums.example.com will allow the user to access forums.

We may need to pass information between the subdomains such as a user id, or a user preference, etc. How do we go about passing information between the sudomains using SESSION variables?

EDIT: I like this idea:

As the first thing in your script:

ini_set('session.cookie_domain', '.example.com' );

Possible duplicate? [Allow php sessions to carry over to subdomains](http://stackoverflow.com/questions/644920/allow-php-sessions-to-carry-over-to-subdomains) — Josh, Feb 05 '12 at 22:38
Do you plan on using the SAME session on all of the subdomains or would you like the session information to be isolated by subdomain? If you ever expand and move one subdomain to another physical server, this could be problematic if you share the session across all domains. Or you would have to switch to memory/database based session storage which all servers could access. — drew010, Feb 05 '12 at 22:43
I plan to use the SAME session on all the subdomains. However another drawback may be that I have multiple domains on one sever. What would I do then to keep the sessions separte amongst the regular domains, but keep them for the subdomains only? — Kevin Oluseun Karimu, Feb 06 '12 at 16:52

score 18 · Answer 1 · answered Feb 05 '12 at 22:39

18

1) the subdomains should use the same path to save session files

2) modify your

php.ini session.cookie_domain = ".example.com"

or .htaccess php_value session.cookie_domain .example.com

or inside of the script ini_set('session.cookie_domain', '.example.com' );

answered Feb 05 '12 at 22:39

Cheery

16,063
42
57

What if you are using a hosting service where you have more than one domain. Example would be example1.com, example2.com, example3.com. Then what would you do? – Kevin Oluseun Karimu Feb 06 '12 at 16:49
@KevinOluseunKarimu Nothing by the cookies, it does not work this way. You could attach session id to the links leading to another domain, at another domain you get this session id and start session with. The requirement about shared session folders is still here. – Cheery Feb 06 '12 at 16:56
How do I get the sessiom id to put in the links? – Kevin Oluseun Karimu Feb 06 '12 at 17:02
Furthermore, how do I get the other page to read and use it? haha. I'm a bit confused. – Kevin Oluseun Karimu Feb 06 '12 at 17:03
@KevinOluseunKarimu look at http://www.php.net/session_id use at, attach this ID as argument to the URLs leading to another domain. Use it to set the same session id on it. The best way is not to match it directly to the authentication session, otherwise if user is not logged out and submits this link to somebody else then they will have access to his data. – Cheery Feb 06 '12 at 18:44
When you mean inside of the script in your answer did you mean inside the script of the webpage? – Kevin Oluseun Karimu Feb 11 '12 at 02:54
@KevinOluseunKarimu I meant inside of the script that starts the session or changes session variables. – Cheery Feb 11 '12 at 03:34

score 16 · Answer 2 · edited Jan 30 '18 at 12:20

16

PHP session ids are saved in Cookies. To make a cookie available in all the sub-domains you need to assign it to the root domain. Then all the sub-domains will get the session id from cookie and PHP can find the session using passed session id.

As it turns out, You just need to set the session.cookie_domain to the root domain in php.ini file

session.cookie_domain = ".example.com"

Also check manual for different approaches used to set an ini entry.

edited Jan 30 '18 at 12:20

coatesap

10,707
5
25
33

answered Feb 05 '12 at 22:38

Shiplu Mokaddim

56,364
17
141
187

What if you are using a hosting service where you have more than one domain. Example would be example1.com, example2.com, example3.com. Then what would you do? – Kevin Oluseun Karimu Feb 06 '12 at 16:48
2

Add `php_value session.cookie_domain .example.com` in `.htaccess` file for each of your domains – Shiplu Mokaddim Feb 06 '12 at 17:12
1

I'm sorry so you would add that as "php_value session.cookie_domain .example.com?" Correct? – Kevin Oluseun Karimu Feb 06 '12 at 17:58
The way my hosting service has set this up is to have a .htaccess for each directory. I don't see one for each domain. – Kevin Oluseun Karimu Feb 06 '12 at 17:58
put it in root directory or example.com. If you have `example.com/index.php` file then put the `.htaccess` in the directory where `index.php` is kept. Thats the document root. – Shiplu Mokaddim Feb 06 '12 at 18:04

score 11 · Answer 3 · answered Feb 11 '12 at 04:39

11

I found a solution to my problem:

session_name("2620368ghwahw90w");
session_set_cookie_params(0, '/', '.mydomain.com');
session_start();

This appears to work with no problem. Is this a good method with low security risk?

answered Feb 11 '12 at 04:39

Kevin Oluseun Karimu

535
2
5
17

score 3 · Answer 4 · answered Mar 05 '13 at 08:50

3

Before you create your session in php file, add this line at first line :

<?php
//session cross to sub domain
ini_set('session.cookie_domain', substr($_SERVER['SERVER_NAME'],strpos($_SERVER['SERVER_NAME'],"."),100));

answered Mar 05 '13 at 08:50

Pathic

390
3
16

score 2 · Answer 5 · answered Feb 05 '12 at 22:45

you can use cookies. check the path parameter in setcookie() which makes that cookie available for he entire domain. drawbacks to this are people who turn off cookies (private browsing modes)

another method would be by passing the sessionID around using links or hidden <input> fields (for forms).

since separate websites don't share sessions (as far as i know, since subdomains are technically "different places" from eachother), don't use sessions to store on the server side. instead, use a database to handle your sessions. that way, multiple sites can share the same session tracking table.

What if you are using a hosting service where you have more than one domain. Example would be example1.com, example2.com, example3.com. Then what would you do? — Kevin Oluseun Karimu, Feb 06 '12 at 16:50

score 0 · Answer 6 · answered Oct 18 '17 at 07:13

I have been going round with this for a while now and what worked for me is placing the code below:

session_name("some_session_name"); session_set_cookie_params(0, '/', '.some_domain.com'); session_start();

across all the sub-domains that will use the session variables. I set this at the beginning of my index php file and it works. Hope this will make it clear.

score 0 · Answer 7 · answered Mar 28 '20 at 06:13

Works like charm!

I believe the cleanest way is to create in you .env a variable SESSION_DOMAIN=.example.com

Alternatively, you can open up config/session.php and set 'domain' => env('SESSION_DOMAIN', '.example.com'), with that all subdomains eg. domain.example.com, test.example.com even example.com shares same session

score 0 · Answer 8 · answered Nov 08 '21 at 13:20

0

This should work in most, if not all, cases:

<?php

if (!session_id()) /* If session is not started yet, then... */
    {
        ini_set('session.cookie_domain', substr_count($_SERVER['SERVER_NAME'],'.') > 1 ? ('.'.substr($_SERVER['SERVER_NAME'], strpos($_SERVER['SERVER_NAME'], '.') + 1)) : ('.'.$_SERVER['SERVER_NAME']));
        session_start(); /* Start session now. */
    };
    
?>

answered Nov 08 '21 at 13:20

James Anderson Jr.

760
1
8
26

The problem with @Pathic 's answer is if you visit the page without a subdomain at all, then your `session.cookie_domain` will be set to `'.com'` which matches most of the domains on the internet. Not secure at all, if it even works. :( – James Anderson Jr. Nov 08 '21 at 13:25

score 0 · Answer 9 · answered Feb 05 '12 at 22:39

0

To share the session cookie among subdomains, you have to set the cookie's domain to .example.org (mind the dot).

http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-domain

answered Feb 05 '12 at 22:39

Philippe Gerber

17,457
6
45
40

Sharing SESSION Variables Between Multiple Subdomains

9 Answers9

Linked