I am using a system to log in to a site that uses a number of subdomains of a subdomain. I have a development and live version of this system, however I am experiencing strange behaviour.
So, the setup is I have the following:
Development environment:
dev.mydomain.com
sub1.dev.mydomain.com
sub2.dev.mydomain.com
Live environment:
live.mydomain.com
sub1.live.mydomain.com
sub2.live.mydomain.com
As part of the login process, I use the following line to set the cookie:
setcookie("LoggedIn", 1, 0,'/','.mydomain.com');
This all works fine and I can log in once and access everything, however I want to restrict it so that if I log in on the test system, then I am not logged in to the live system and vice versa.
I expected the solution to this to be:
setcookie("LoggedIn", 1, 0,'/','.test.mydomain.com');
and
setcookie("LoggedIn", 1, 0,'/','.live.mydomain.com');
dependent on the system.
However, using this method I am able to log in to test.mydomain.com and live.mydomain.com independently but I am unable to log in to the sub-subdomains (sub1.test.mydomain.com, sub2. etc).
What am I doing wrong?
It might because of same-origin-policy. Please go through it.
i totally agree with your expectation the subdomain cookie should have priority over top domain but in most web frameworks you can't have duplicate cookie id, so even if you set the cookie domain as top and subdomain still both are valid, so i think the safest solution is you should try to change the cookie id for that specific domain usually i put it in the application configuration as variable
Related
I have a web server running LAMP. I have the website tbg.robotpidgeon.com set up to run the PHP login system that I copied from here (https://www.tutorialrepublic.com/php-tutorial/php-mysql-login-system.php).
Very basic login system using MySQLi.
In my apache2 config file for this web address, I have set up the virtual host and pointed it to where the PHP files are located. However, when you go to the above address it generates an index of the PHP files.
When I try to set up the virtual host to land on the login or welcome page I get a too_many_redirects error. So I am assuming that I have created a loop when I set the virtual host document root to a specific PHP file?
What should I do so that when I go to the above address it goes to the login/register page?
The browser is stopping you from hammering the server with a bunch of
requests. This is most likely due to the header() sending you to a
page which in turn sends you to the same page (or page with the same
header()).
In your session.php you have to destroy the session because it might
be set still but without that the query can find a existing user?
To unset sessions do this:
unset(); for all the session variables
unset($_SESSION['login_user']); for a specific session
I use a test domain in laravel and one subdomain is in use. Everything works fine,
test.com and user.test.com
but, Login function does not work on test domain
I have verified that the session file is generated at stoage / sessions
when I done login, it does not cognize my session. The login function works well on localhost url. how i can fix that?
i'm done config like this below
config / session.php
domain => ".test.com"
And if I set up like above, can I share login information between two domains?
Clear the cookies for the site and then try to log in again. Or If the issue still persists then try to change Session Cookie Name in config/session.php
We are having some issues with PHP Session Cookies not allowing us to log into our *SugarCRM** application which is open source PHP application.
The problem is we have the same application installed on 2 sub-domains like below...
Main site
www.domain.com
Dev site
dev.www.domain.com
Now after logging into one, it will not allow you to login to the other!
Please view the image below to see the Cookie problem...
In the image above you can see that there is 2 PHPSESSID Cookies competing for the Session!
If I now delete one of them, it allows me to login as normal without an issue!
Because this is SugarCRM, I am hoping I can resolve this issue without making really any core file modifications to the application. But if I have to, then we will.
So does anyone have any ideas on a good solution?
Right now my idea for a "Nasty Dirty Hack" which I really do NOT want to have to do. It is to make a button on the login form, this button will use JavaScript to clear/delete the PHPSESSID Cookies but again I would really like to find a proper solution.
If anyone has any ideas, please share? Thank you
UPDATE
Thanks for the answers so far. Please do take into acocunt that this is not a simple PHP application that I built where I can easily do code changes. THis is SugarCRM which is a massive large application with thousands of files
Try to setup in .htaccess parameter on subdomain
php_value session.cookie_domain .domain.com
or use in php code, but before "session_start()"
ini_set('session.cookie_domain', '.domain.com' );
Use
session_set_cookie_params
to set the session from the subdomain, on the principal domain.
Try to use function (http://php.net/manual/en/function.session-set-cookie-params.php):
session_set_cookie_params ( $lifetime, $path, $domain, $secure, $httponly)
And set one $domain = '.domain.com'
Or if you setting session cookie manually by setcookie, then setting the same domain too
Its actually not the domain you need to change, but the "session name" (name of the cookie parameter). Both apps seem to be using the default "phpsessid" and need to be made to differ, otherwise the apps will see eachother sessions, see the wrong session, or try to unserialize classes only defined in the other project.
You need to change the cookie parameter its storing the session ID in. It can be controlled from an environment variable (php.ini, .htaccess, etc.): http://us1.php.net/manual/en/session.configuration.php#ini.session.name
This way you can have multiple PHP sessions on the same domain. For example if you had example.com/sugarcrm and example.com/foo You could have sugarCRM store it's session ID in a cookie param called "sugarsession" (instead of the default phpsessid)
It has been a while since I had this issue but I think all you have to do is write each instances session file to a different directory by editing the config.php in each SugarCRM's file system and change the line
'session_dir' => '',
to point at a different directory.
I have a rails app running on Heroku, and I am trying to get a Wordpress blog set up on /blog for my domain for SEO purposes. I have Rack::ReverseProxy set up in my rails app pointing to the blog's subdomain, and have all of the configuration on the Wordpress side set up so all of the css and links work correctly. The problem I'm having is that when I go to /blog/wp-admin I am redirected to /blog/wp-login?redirect_to={blog's subdomain}&reauth=1, and after trying to log in I'm sent to the same page.
I've noticed that I'm not being cookied for the login even though Wordpress's Test Cookie is being set for the correct domain. I've even traced it through and in wp-includes/pluggable.php in wp_set_auth_cookie where it actually sets the cookie after a successful login, the calls to setcookie are returning true, but immediately after the cookies aren't added to my session (even though the Test Cookie does come through in the headers successfully)
Am I going down the wrong direction looking there? Are there any settings I should investigate to be able to log in this way?
I had this exact problem, and I finally tracked it down to a bug in rack-reverse-proxy. The set-cookie header was being sent in an improper format, so only the first cookie was being interpreted correctly by the browser. That happened to be the wordpress test cookie. All the other (useful) ones were being thrown away, so of course I could not log in.
I plan to submit a bug and branch to rack-reverse-proxy but in the meantime I fixed it with this patch in my config.ru:
class MyReverseProxy < Rack::ReverseProxy
private
def create_response_headers(http_response)
response_headers = super(http_response)
if response_headers
if response_headers["Set-Cookie"].is_a?(Array)
response_headers["Set-Cookie"] = response_headers["Set-Cookie"].join("\n")
end
end
response_headers
end
end
# this is to make /blog show my wordpress blog
use MyReverseProxy do
reverse_proxy_options :preserve_host => false
reverse_proxy(/^\/blog(\/.*)$/, 'http://your-blog-server.com$1')
end
I don't have an answer but I have a few suggestions to get a better understanding of what's going on.
If you are using Google Chrome, open the Network panel of the Developer Tools and watch what happens when you login.
Check to see which domain the cookies are being set for, when you look at the response headers for the POST request that processes your login, you should see Set-Cookie header(s), check whether that domains is .domain.com or blog.domain.com and see if that request is trying to forward you to a different place.
Another possibility is that your Wordpress installation may be configured differently than you want it, for example the site URL being www.domain.com/blog instead of blog.domain.com
Is it possible for you to go to the login page at blog.domain.com/wp-admin/?
I am facing a strange scenario. basically on my every web page i am doing
session_start();
if(!isset($_SESSION['login']))
header("Location: login.php");
to ensure every user has logged in first. I am working in chrome and what happens is if I login to my web application and open any page it works fine. At the same time if, in another tab, I login to my hosting server, I am logged out of my web application. If I login to my application again, I am logged out of my hosting server!!
What am I doing wrong? is there a problem the way I am checking or setting the session variable?
I am setting the session as follows:
//if authentication successful
session_start();
$_SESSION['login'] = "1";
I have a very similar problem, and I think this happens just because two sessions with the same name, in the same place of the same domain can't coexist.
Maybe a solution should be to use session cookies. You can set a cookie just for a folder and not for the whole domain. This way I think you can manage 2 sessions at the same time, but I'm not sure.
Try this:
session_start();
setcookie(session_name(), session_id(), 0, '/public/');
Where /public/ might be the specific folder where your site is located, or the application path (thanks Paul for pointing out this).
Then you will check if session is set:
$session_cookie =
isset($_COOKIE[ini_get('session.name')]) ?
$_COOKIE[ini_get('session.name')] :
null;
Probably this won't work, since the other session might be "stored" in the root folder of your web application. But if you are able to do the thing above also for your hosting server, you should resolve your problem.
You can also try to set a different name for the session in your web application.
Hope this helps.
I think you'll find the cause is that both hosts have the same network name e.g. test.www.example.com and www.example.com
Just use a different network name for the test machine and it should work or make sure you explicitly use non-overlapping values for session.cookie_domain