I have been trying to maintain session vars between two subdomains and found it impossible. I ended up creating 2 minimal PHP web pages as a test bed, one I call 'test 1' just sets
$_SESSION['test'] = "Fred";
and has a hyperlink to 'test 2' which simply tries to echo the value of $_SESSION['test'] to prove it's worked, or not. I place 'test 1' in my www domain and 'test 2' in my sub domain. I try various version of what should go in the header, from various sources. Here are the main 3 (and of course their variants):
ini_set('session.cookie_domain',substr($_SERVER['SERVER_NAME'],strpos($_SERVER['SERVER_NAME'],"."),100));
session_start();
or
ini_set('session.cookie_domain','mydomain.com');
session_start();
or
ini_set('session.cookie_domain', PHP_INI_ALL);
session_start();
or
session_set_cookie_params(0, "/", ".mydomain.com", false);
session_start();
I find that I get an identical result in every case. The session is not carried across the subdomains and page test 2 has no idea what value I set $_SESSION['test'] to. Yet there seems to be plenty of certainty around the 'net that one of the above methods should work. Any idea what could be going on, especially since I am using minimal pages to test the mechanism (no side effects that I can see)? By the way I am on a shared server, if that's pertinant here.
Thank you for your thoughts. Frank.
Edit.
I fixed it. The problem was caused by Suhosin. See detailed answer at the foot of this page.
Ok I nailed it and it was a stinker.
Suhosin's suhosin.session.cryptdocroot option was the entire cause of the problem. When the session encryption key is based on the DocRoot it causes the subdomains to fail to see each other's session variables when the base domain and the subdomains are served from different directories. This leads to the session vars on the server being stored in different folders and hence they are not visible to each of the corresponding domains.
Solution. Simply add these 2 lines in your php.ini file:
suhosin.session.cryptdocroot=Off
suhosin.cookie.cryptdocroot=Off
A 48 hour nightmare to track down, 4.8 seconds to fix.
I have it working, setting a session name and session cookie parameters:
$some_name = session_name("some_name");
session_set_cookie_params(0, '/', '.some_domain.com');
session_start();
Related
I need to set the PHPSESSID coockie for just two domains:
www.domain.tld
sub.domain.tld.
Other subdomains should not share the same PHPSESSID.
I can use session_set_cookies_param(), but as far as I can see, this can only set it for one domain or all subdomains.
But in my case, subdomain anothersub.domain.tld should not have this PHPSESSID.
I want this because we have images on a subdomain, and setting the PHPSESSID for all subdomains causes the browser to send the PHPSESSID cookie with the request. This has slight performance issues for static resources and it is recommended to use cookieless domains
This can't be done this way, this is unrelated to PHP. This is how cookies works in general. Only one domain (or a domain with a dot in front) can be set.
You have to use different domain for image hosting.
While as was already explained, this is not technically possible, due to the cookie “syntax”, I think you should be able to work around that, if you simply set a second cookie yourself.
Use session_set_cookies_param to have it set the cookie for www.domain.tld only.
Add your own code after session_start, that sets the “same” cookie again, just for sub.domain.tld this time.
session_name and session_id help your figure out the necessary name and value; if you want, you can also use session_get_cookie_params to match other parameters (like lifetime and maybe path, if the latter makes any sense in the given setup) as well if you like.
Edit: Keep in mind though, that if the session id might change at any other point within your app after session_start, for example if session_regenerate_id is used anywhere, you will of course have to update your second cookie there as well.
Yes, I know this has been asked a thousand times.. But, I've still been unable to find any specific fix that seems to work every time. I've tried many of the fixes people have suggested and I'm still having the same issue as before.
So, I run a server with a setup of multiple domains. They're all on the exact same server, and there is no transfer between servers here.
carnal.ueteribus.com <--- The Cookie is read and displayed here.
www.ueteribus.com <--- The login script is hosted here.
Basically those are the only two domains, and I'm trying to get the information from WWW to transfer to Carnal. Which is easier said than done.
Currently I've been trying to use
ini_set('session.cookie_domain', '.ueteribus.com');
Which hasn't worked, or maybe I have it programmed wrong. Anyways, any help would be very appreciated and if any additional information is required I am more than happy to provide.
NOTE: I do not have access to the PHP.ini, the company has denied such access.
session_name('LoginSession');
session_set_cookie_params(0, '/', 'ueteribus.com');
session_start();
I've also tried that
That seems to work in creating a named Cookie, but I couldn't figure out how to call it. My script wouldn't work anymore to call the actual login status, and I couldn't figure out how to fix it to ensure that this was even working.
<?php
session_set_cookie_params(0, '/', '.ueteribus.com');
session_start();
if (isset($_SESSION['error'])) {
echo $_SESSION['error'];
}
?>
Maybe something like this:
session_name('shared-name-between-sub-domains');
session_set_cookie_params(0, '/', '.domain.com');
session_start();
The absolute first two things in your scripts need to be:
ini_set('session.cookie_domain', '.xxxx.com');
session_start();
in that order, and any session's begun before adding that code will become inaccessible.
This assumes that both domain1.xxxx.com and www.xxxx.com live on the same server and use the same instance of PHP. It is impossible to share PHP session data across servers without writing your own custom session handler.
If there are no other domains on the server you may want to simply set session.cookie_domain in your php.ini.
I'm not quite sure what the purpose of session_names is..
Can someone please explain in what circumstances defining a name would be beneficial?
You have two sites on the same domain. (say, a blog and a forum)
They both run different pieces of software.
If they ran on the same session and used the same variables in $_SESSION, (say, user_id), they would conflict.
session_name lets you give each application a different session.
The default is - I think - PHPSESSID. If you have more than one application on the same host, they would share those sessions. So, you should set different session names for each application, so that there is no weird stuff happening.
I have a site I'm deploying and I've hit a problem. I was testing my code in a sub-directory of my clients hosting package and everything seemed fine. However I've moved the folders/files to the site root and now I'm intermittently losing all session data.
I've taken a look with LiveHeaders in Firefox and these cookies are being set:
Cookie: __utma=196298984.443251570.1275554915.1275554915.1275557276.2;
__utmz=196298984.1275554915.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmb=196298984.188.10.1275557276; PHPSESSID=3f5a363de3b7ec6084c7fdf90bec78a8;
__utmc=196298984
and
Cookie: __utma=196298984.443251570.1275554915.1275554915.1275557276.2; _utmz=196298984.1275554915.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmb=196298984.189.10.1275557276; PHPSESSID=3f5a363de3b7ec6084c7fdf90bec78a8;
__utmc=196298984
I'm by no means an expert on headers so if you need other information, I should be able to get it.
For a session to work, two elements have to both be working:
First, the browser must send the same PHPSESSID cookie with every request. The session ID will change from one session to another, so if you login tomorrow (or later today, or in a different browser, et cetera) you'll get a different ID than you have now, but during a single session the ID should not be changing.
Second, the server must be able to access the same files associated with that ID during every request. By default, PHP stores that information in the /tmp/ directory. If you have access, you could even poke around there and see what's getting stored.
The first issue is easiest to test for. Take a look at what cookies are being sent while the session is working, and then check again after the session stops working and see if the PHPSESSID has changed. The most likely cause for behavior like this would be a poorly set local computer clock, poor timeout settings on the session, et cetera.
The second issue is a bit trickier. If your browser is sending the right cookie with every request, but PHP can't access the file with information about that session, the problem is with the server. You might consider storing your sessions in a database (if you're using one anyway), which is easily done with code in the PHP manual.
A couple of things that come to my mind:
1 : Make sure that if your session is being created on www.abc.com, then all browsing happens on exactly that domain, if some pages are being sent to abc.com instead of www.abc.com, this is likely to cause session/cookie problems.
2 : also make sure that session_start instruction is available on top of ALL pages.
I have an application with multiple regions and various incoming links. The premise, well it worked before, is that in the app_controller, I break out these incoming links and set them in the session.
So I have a huge beforeFilter() in my app_controller which catches these and sets two variables in the session. Viewing.region and Search.engine, no problem.
The problem arises that the session does not seem to be persistant across page requests. So for example, going to /reviews/write (userReviews/add) should have a session available which was set when the user arrived at the site. Although it seems to have vanished!
It would appear that unless $this->params is caught explicitly in the app_controller and a session variable written, it does not exist on other pages.
So far I have tried, swapping between storing session in 'cake' and 'php' both seem to exhibit the same behaviour. I use 'php' as a default. My Session.timeout is '120', Session.checkAgent is False and Security.level is 'low'. All of which should give enough leniency to the framework to allow sessions the most room to live!
I'm a bit stumped as to why the session seems to be either recreated or blanked when a new page is being requested. I have commented out the requestAction() calls to make sure that isn't confusing the session request object also, which doesn't seem to make a difference.
Any help would be great, as I don't have to have to recode the site to pass all the various variables via parameters in the url, as that would suck, and it's worked before, thus switching on $this->Session->read('Viewing.region') in all my code!
Try setting the security setting in your /app/config/core.php file to medium or low. That solved a session problem I had.
i had the solution or at least that work for me
you try to pass from controller reviews action write to controller userReviews action add right???
check that your controller userReviews must end whit php tag "?>" and NO MORE SPACE
SO if you have someting like this
line
999 //more code lines
1000 ?>
1001
your session fail
you have to had this
line
999 //more code lines
1000 ?>
sorry for my bad english
soo you
It would appear that unless
$this->params is caught explicitly in
the app_controller and a session
variable written, it does not exist on
other pages.
That sounds like the proper behavior unless you are posting data from page to page. If you want any variable to persist, it should either be set in the model (where it will persist with the association), or passed on in a function, or set in the session explicitly using the session component:
$this->Session->write('Viewing.region');
(see: http://book.cakephp.org/view/398/Methods)
On a related note, I've had most success with sessions stored in the database. Run the file from app/config and set it to db. See if that helps.
Also, do the Cake core tests for the session work?
Might it be this problem? Essentially, cake's session resets if the user-agent changes
It's a shame that I ran into this very problem you mention a few days ago and now I cannot find the link that helped me solve it.
Also: are you using database or plain php sessions?
I'm going to go out on a limb here without being able to look at your code, but might it be possible that your "reviews" controller (or whatever) has its own beforeFilter() and doesn't call its parent's beforeFilter() explicitly?
This has burned me before...
I got some issues like this. Session set using some controller was not available in another , controller . I could clear the issue after spending few hours . There was a white space afer the end of php tag at the bottom . After clearing the line and white space after the last ?>
tag worked fine .
I had this problem when moving a CakePHP site. My problem was that the session directory wasn't writeable. You should make sure the folder app/tmp and all it's subfolders (including sessions) have permission 777.