I have a problem sharing the session between two subdomains, and I've read a lot of threads here and other places.
I have www.xx.com and sub.xx.com and I've set
session_name("PHPSESSXX");
session_set_cookie_params(0, '/', '.xx.com');
and the session.save_path is the same on both domains.
I get a cookie called PHPSESSXX on both domains, and it has the same value.
When I log on to www.xx.com I get a session with some details in it, and it stays that way until I go to sub.xx.com. Then the session on sub.xx.com is empty, and if I refresh www.xx.com, the session there is gone as well. So it does something, but it seems to be overwriting the session data each time I visit a different subdomain.
Any ideas anyone? - Can i debug this somehow?
Btw: I'm using ssl on both domains.
cheers
PHP session ids are saved in Cookies. To make a cookie available in all the sub-domains you need to assign it to the root domain. Then all the sub-domains will get the session id from cookie and PHP can find the session using passed session id.
As it turns out, You just need to set the session.cookie_domain to the root domain in php.ini file
session.cookie_domain = ".example.com"
Also check manual for different approaches used to set an ini entry.
Your question is answered here
Sharing SESSION Variables Between Multiple Subdomains
My solution was to set a flag in .htaccess like this:
php_flag "suhosin.session.cryptdocroot" 0
And it now works perfectly ;o)
The problem was that Suhosin was installed on the system, and the ini variable
suhosin.session.cryptdocroot = On
encrypted the session files in such a way, that when a different subdomain tried to change the session, it deleted everything for security reasons.
It didn't work for me to set the variable to Off or [nothing] in the ini-file, though maybe I didn't find the right file.
I also tried setting it in PHP without any luck. Like this:
ini_set('suhosin.session.cryptdocroot', 0)
cheers
Related
My host (one) is not allowing me to change the php.ini file and nor can I find it (I probably don't have read access to it even). When I am trying to make session variables go across subdomains I can't since the session cookie is set for the main domain only (example.com). I would like it to be set for .example.com
I have tried to set the php ini file to allow this.
ini_set('session.cookie_domain', '.example.com');
That did not work because I am not allowed to run the ini_set() function. I also tried finding the php.ini file but could not find it in my FTP client. Using phpinfo() wields me it is in /etc/php but I don't have access to that directory.
I expect this to work but clearly it does not. Checking the developer console in Firefox the domain path for the PHPSESSID cookie is still example.com and not .example.com
Is there any workaround other than setting the session variables on the correct subdomain from the start?
Session cookie params can also be set with session_set_cookie_params(). The domain is the third argument.
This is not the best solution !
Regarding your situation and if you cannot set it using .htaccess, you can make a redirect to your subdomain(s), create the session and redirect back to the URL where you want to be,
EX :
example.com -> any action -> go to sub1.example.com -> create session -> go to sub2.example.com -> create session -> ... -> go to example.com
Or :
You can also create pixel image with links to your subdomains if you don't want to use redirect
For this two solutions to work, you need to set sessions separately for each subdomain.
You can set ini variable like this before session_start()
ini_set('session.cookie_domain', '.example.com' );
or for that question you can set in htaccess file like this:
php_value session.cookie_domain .example.com
and from this answer:
if(isset($_COOKIE['session_id']))
session_id($_COOKIE['session_id']);
Zend_Session::start(); //or session_start();
if(!isset($_COOKIE['session_id']))
setcookie('session_id', session_id(), 0, '/', '.yourdomain.com');
at the end if any of this ways doesn't work, you can change the session_name
session_name('example_name');
then use the following code into the php page
session_set_cookie_params(0,"/",".example.com",FALSE,FALSE);
setcookie(session_name(), session_id(),0,"/","example.com");
session_start();
for more information see this question
I have a php application in the domain "subdomain.example.com" and I need to set a cookie that is also readable by "subdomain2.example.com".
So I tried making a cookie using the setcookie() function using the domain ".example.com", but it refuses to make the cookie. There are no error messages or anything, but when I try to print out the $_COOKIE global, the cookie I'm trying to generate is not there nor can I find it when I search through the cookies in the browser.
I have already modified the php.ini file to contain the line
session.cookie_domain = ".example.com"
If it helps, I am running this off an Apache 2 web server.
I have edited session.cookie_domain = ".mysite.in" in php.ini to share one single session for same user across all the sub domains of my site.
But it is not working weird. Now if I open a session at "www.mysite.in", it gets shared with "mysite.in"(no www), but not with "oth.mysite.in".
PS : The session did not get shared to "mysite.in" before. So edit definitely has some effect.
We are having some issues with PHP Session Cookies not allowing us to log into our *SugarCRM** application which is open source PHP application.
The problem is we have the same application installed on 2 sub-domains like below...
Main site
www.domain.com
Dev site
dev.www.domain.com
Now after logging into one, it will not allow you to login to the other!
Please view the image below to see the Cookie problem...
In the image above you can see that there is 2 PHPSESSID Cookies competing for the Session!
If I now delete one of them, it allows me to login as normal without an issue!
Because this is SugarCRM, I am hoping I can resolve this issue without making really any core file modifications to the application. But if I have to, then we will.
So does anyone have any ideas on a good solution?
Right now my idea for a "Nasty Dirty Hack" which I really do NOT want to have to do. It is to make a button on the login form, this button will use JavaScript to clear/delete the PHPSESSID Cookies but again I would really like to find a proper solution.
If anyone has any ideas, please share? Thank you
UPDATE
Thanks for the answers so far. Please do take into acocunt that this is not a simple PHP application that I built where I can easily do code changes. THis is SugarCRM which is a massive large application with thousands of files
Try to setup in .htaccess parameter on subdomain
php_value session.cookie_domain .domain.com
or use in php code, but before "session_start()"
ini_set('session.cookie_domain', '.domain.com' );
Use
session_set_cookie_params
to set the session from the subdomain, on the principal domain.
Try to use function (http://php.net/manual/en/function.session-set-cookie-params.php):
session_set_cookie_params ( $lifetime, $path, $domain, $secure, $httponly)
And set one $domain = '.domain.com'
Or if you setting session cookie manually by setcookie, then setting the same domain too
Its actually not the domain you need to change, but the "session name" (name of the cookie parameter). Both apps seem to be using the default "phpsessid" and need to be made to differ, otherwise the apps will see eachother sessions, see the wrong session, or try to unserialize classes only defined in the other project.
You need to change the cookie parameter its storing the session ID in. It can be controlled from an environment variable (php.ini, .htaccess, etc.): http://us1.php.net/manual/en/session.configuration.php#ini.session.name
This way you can have multiple PHP sessions on the same domain. For example if you had example.com/sugarcrm and example.com/foo You could have sugarCRM store it's session ID in a cookie param called "sugarsession" (instead of the default phpsessid)
It has been a while since I had this issue but I think all you have to do is write each instances session file to a different directory by editing the config.php in each SugarCRM's file system and change the line
'session_dir' => '',
to point at a different directory.
I am reading through the suggested php.ini changes from https://github.com/h5bp/html5-boilerplate/blob/master/.htaccess
One of the suggestions is:
# Rename session cookie to something else, than PHPSESSID
php_value session.name sid
I am interested to know how this could effect my current websites and how this would improve security?
By changing the name, the only security improvement you will have is that you will no longer expose that you are using PHP via the cookie name.
If you change this value, the only side effect on your website is that all the currently logged-in users will became logged-out.
Plus, you can use a fun name, like we_are_hiring_ninjas!
The name of the session cookie can be changed from the php.ini file and also from
the host definition on Apache config.
Take a look there.
All the best.