After login in this url www.example.com, if I remove the www extension from address-bar the login detail value doesnot keep by session.
Try creating a redirect function from non-www to www. See this topic: WWW to non-WWW Redirect with PHP
Your session is maintained by a cookie. When you log on to www.example.com, a cookie is saved for this domain by default, which is represented with every request to a URL in this domain. example.com is a different cookie domain, and the cookie won't therefore be presented.
Solutions are to either redirect from example.com to www.example.com as Andrei suggested, or to make the cookie domain match as Adnan suggests - both valid answers.
put this in your globals, or in your includes file, or just add it before any session_start() call.
ini_set("session.cookie_domain",".example.com");
another option would be to to add this:
php_value session.cookie_domain .example.com
to your .htaccess
Try clearing browser cache
deleting temporary files and prefetch files
clear dns from cmd ipconfig/flushdns
re open browser login, writing or removing www should not alter with session since it runs on server.
make sure you are not Re - Starting session.
Related
Two questions regarding a Cookieless Domain (I've read a dozen or more posts on Cookieless domains, but some of the answers seem conflicting).
I am setting up my site to serve Static Content from a Cookieless Domain - using a subdomain and .htaccess. I have pages with many thumbnails and I don't want the cookie info sent with each image request.
In htaccess I have a rewrite rule which directs all my traffic to the www domain
RewriteBase /
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]
I created a CNAME record static.example.com and point it to www.example.com.
My image requests now point to static.example.com and in Firebug I am looking at the Net tab. The request header shows the PHP Session Cookie PHPSESSID=.... and the response header shows no Cookie.
First Question:
Is having the session cookie in the request header unavoidable, or should I be trying to get rid of this as well? All requests come from a common directory (and its subdirectories). Should I do something like this?
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
UPDATE I tried putting this in the .htaccess in the directory of the jpg files - but headers were not blocked for the images served
Second Question:
Also, do I need to explicitly set the domain property of all my cookies? Docs say that if the domain is not specified then the current domain is used as the default. My current domain should always be www, right? But in response to my last post, someone said
You'll need to explicitly set all your cookies for www.example.com so
that they won't be shared among subdomains
When looking at my www.example.com cookies (in firfox) which were set without specifying the domain, it shows the "host" as www.example.com but the "site" as example.com. It doesn't explicitly say what the "domain" is and these cookies aren't being included with the requests from static.example.com.
Thanks for your help. (If I should have posted two separate posts, let me know)
So after a long night, here is what I found:
In the end, I no longer have the session cookie showing up. In the end, I explicitly set the domain to www.example.com and the path to "/" for all cookies and once this was done (correctly), the cookie data is no longer in the request header for all file requests.
It might have worked without the domain being explicitly set. However, it was the most straightforward route and worked in the end.
This question already has answers here:
PHP: SESSION lost on SUBDOMAIN
(3 answers)
Closed 9 years ago.
My site uses PHP sessions to keep track of a logged in user. Every page has session_start(); implemented properly, however in chrome when I place www. in from of the domain name it does not use the session variables. When I replace it back without the www. it works fine again, so the variables are not unset but rather just not being used.
In Firefox strangely it is the other way around. www. works and without does not. Is there a way around this? I'm having trouble because I'm using PayPal to redirect to my site and I can't have my users have to log out and back in directly after.
www.example.com and example.com are NOT the same website. They usually are, but only by convention. www.example.com is a subdomain of example.com
For this reason, cookies set on example.com will NOT be used on www.example.com and vice versa, because it would be unsafe to assume they are the same thing.
You can override this behaviour to some extent by allowing the session cookie to work on all subdomains as well as the main domain by setting the php.ini setting session.cookie_domain to .example.com (replace with your own domain name, of course)
You should either set the cookie_domain in PHP or make sure your users only see your site with www or without www. You can use .htaccess (apache server) to accomplish this.
Example to set your cookie domain for multiple subdomains:
session_set_cookie_params(0, '/', '.example.com');
session_start();
I have a script encoded with ironcube and when I login into that script it creates a session for the domain with the www. only. So if i enter mydomain.com the session changes and I cant access session variables for WWW.mydomain.com.
I would have added the appropriate script so it creates a session for both with the www. and without but the script is encoded with ironcube.
So my problem is, I need to access sessions created with the WWW.mydomain.com from mydomain.com.
Any assistance would be appreciated :)
That is a security measure implemented by browsers to prevent cookie stealing.
The workaround, is to set the cookie for the top-level-domain.
If you have domains www.example.com and example.com use the following code in the beginning of your PHP files.
ini_set('session.cookie_domain', '.example.com');
Session is the wrong term. What you are referring to are cookies. You need to set the cookie so that its on the domain .mydomain.com
Write another script that runs in the www domain that will take the value of the cookie and write it toeaanother cookie in the domain.com so that your scripts there can access it.
I am having a problem over and over where a member is logged into my site using www. and if he accesses a link without www., the session variables don't carry over.
What's the way to make them both access the same place?
Ideal
Your site should reside on one canonical domain. So you should pick either www. or the top level domain and change all your links so that they point to one web address. It would be wise to switch to setting the domain in a configuration and using that to create web addresses across your application - this way you can easily change the URL later if you wish.
If you are running Apache you can also easily redirect traffic from one domain to the other by adding the following to the .htaccess file of your site:
#enforce the use of the www. subdomain on the sites URL
RewriteCond %{HTTP_HOST} !^(www.).*$ [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
I should also mention that there is a growing movement away from using the www. subdomain as the main "URL" for a site. See: http://no-www.org/index.php
Less ideal
You change the cookie configuration when you set it so that it will work across domains. This is described on the setcookie() manual page with the domain parameter:
The domain that the cookie is available to. Setting the domain to
'www.example.com' will make the cookie available in the www subdomain
and higher subdomains. Cookies available to a lower domain, such as
'example.com' will be available to higher subdomains, such as
'www.example.com'. Older browsers still implementing the deprecated ยป
RFC 2109 may require a leading . to match all subdomains.
The only issue with this is that your site will still be accessible via two URLs.
Solution 1: Set the cookie's domain to the domain name without the www prefix (this way both requests should be sent with the cookie data).
Solution 2: Redirect everyone using the variant without the prefix to the one with the prefix (e.g. using mod_rewrite).
Modify your server configuration to 301 redirect traffic from 'yourdomain.com' to 'www.yourdomain.com'
when some user access the www.* site, redirect then to the other site automatically
I'm writing session on mydomain.com/login.php I believe this can't be accessed in www.mydomain.com. Is that right?
How can I write to $_SESSION so I can access it from both the www. and non-www version of my domain?
have a look at session_set_cookie_params
it explains setting . in the domain will allows for access to subdomains as well,
Cookie domain, for example 'www.php.net'. To make cookies visible on all
subdomains then the domain must be prefixed with a dot like '.php.net'.
miki has an example
http://www.php.net/manual/en/function.session-set-cookie-params.php#94961
session_set_cookie_params("$lifetime","$path","$domain","$secure","$httponly") is the best one in php language for setting session in both www and non-www url