I wonder how this quote from the PHP manual should be interpreted:
session.cookie_domain specifies the domain to set in the session
cookie. Default is none at all meaning the host name of the server
which generated the cookie according to cookies specification.
Does it mean that when calling session_start on URL www.somedomain.com/somepage.php the cookie will have the following form:
Set-Cookie PHPSESSID=e48gh5mqggccgmn8172f0j5a06; path=/; domain=.somedomain.com
Or
Set-Cookie PHPSESSID=e48gh5mqggccgmn8172f0j5a06; path=/; domain=www.somedomain.com
I have seen on index pages the first cookie header and on other pages a header without a domain.
Can someone bring some insight on this?
Thanks
No, php will usualy set the cookie for the current domain ex: wwww.domain.com.
To have everything consistent, you must either redirect all request to the same domain, or explicitly set the cookie for all subdomains.
EDIT: actualy, this is true for Firefox. I think PHP will not actualy set the domain, so the browser is free to use whatever he wants. Internet Explorer i think will set it for any subdomain
No PHP by default never set session cookie for all subdomains.
If you want to set a cookie across all subdomains then you can do this by using this code:
<?php
$currentCookieParams = session_get_cookie_params();
$rootDomain = '.example.com';
session_set_cookie_params(
$currentCookieParams["lifetime"],
$currentCookieParams["path"],
$rootDomain,
$currentCookieParams["secure"],
$currentCookieParams["httponly"]
);
session_name('mysessionname');
session_start();
setcookie($cookieName, $cookieValue, time() + 3600, '/', $rootDomain);
?>
For reference please visit http://www.php.net/manual/en/function.session-set-cookie-params.php
It does set the cookie for the domain visible in the client's browser (so, option 2 in your question). If you want to set a cookie for all subdomains you should call session_set_cookie_params() and put ".domain.com" in the $domain parameter.
Related
I use PHP sessions (not cookies, except for session id cookie) for all user data, and when a user goes to their profile user.mydomain.example they are immediately "logged out" until then remove the subdomain.
Is there a way to accept sessions from all domains as long as its *.mydomain.example
Here are 4 options.
Place this in your php.ini:
session.cookie_domain = ".example.com"
Or in your .htaccess:
php_value session.cookie_domain .example.com
Or as the first thing in your script:
ini_set('session.cookie_domain', '.example.com' );
Or in your php-fpm pool configuration for your site:
php_value[session.cookie_domain] = .example.com
if(isset($_COOKIE['session_id']))
session_id($_COOKIE['session_id']);
Zend_Session::start(); //or session_start();
if(!isset($_COOKIE['session_id']))
setcookie('session_id', session_id(), 0, '/', '.yourdomain.example');
security be damned, if you are as frustrated with incomplete or bad answers as I am, this is your savior. It just works.
change the session name at the top of the core functions file
like
session_name('mysession');
then use the following code into the php page
session_set_cookie_params(0,"/",".example.com",FALSE,FALSE);
setcookie(session_name(), session_id(),0,"/","example.com");
session_start();
finally change the default session name of the subdomain and remove the default cookie in subdomain's core functions file
like:
/*default session name*/
session_name("mysession");
/*remove the PHPSESSID and default session name from subdomain's cookie*/
setcookie( "mysession", "",1,"/" );
setcookie( "PHPSESSID", "",1,"/" );
if you continue with using your cookie name as PHPSESSID ,just remove all the functions with
"mysession" string like session_name('mysession'), setcookie( "mysession", "",1,"/" );
then check your browser's existing cookies, just remove all the cookies of domain and subdomain, and repeat the process.
I know this is quite old - but to further expand on #CTT's suggestion - I needed to add a php.ini file in each sub-directory (that will be executing php code and requires the session) of my subdomain with the following text:
suhosin.session.cryptdocroot=Off
suhosin.cookie.cryptdocroot=Off
I hope this helps (it took me ages to figure this out).
Another option that worked for me: is to force the name of the session:
session_name("myWebsite");
session_start();
yes. ini_set is working. but remember to destroy all caches and cookies of the browser to see it works.
destroy all caches and cookies of your browser
in your xxx.example.com and yyy.example.com, your php files should start like this.
ini_set('session.cookie_domain', '.example.com' ); session_start();
I just had this problem and it turns out I was using different php.ini files for two different sub-domains. These ini files specified different session.save_path variables. For obvious reasons this needs to be the same for all sub-domains that need to share sessions.
Before session_start() use session_set_cookie_params() replacing .domain.example with your domain like this example:
session_set_cookie_params(0, '/', '.domain.example');
session_start();
Try This:
session_start();
$sessionId = session_id();
logged the user. When user will switch to other subdomain sent the session id in the URL like this user.mydomain.example/?id=$sessionId
$sessionId = $_GET['id'];
session_start($sessionId);
Now the user will get all the session values and stay logged in.
if(isset($_COOKIE['session_id']))
session_id($_COOKIE['session_id']);
Zend_Session::start(); //or session_start();
if(!isset($_COOKIE['session_id']))
setcookie('session_id', session_id(), 0, '/', '.yourdomain.example');
This is a good solution, but you cannot use it in all situations. For examples it will not work when you cannot rely on not-session cookies.
This actually MUST work if you use it correctly.
ini_set('session.cookie_domain', '.example.com' );
For example you need to put it before session_start() and also in all files that call session_start()
Can anyone tell me how to read cookie from subdomain. I can set the cookie for subdomain but unable to read it.
Please tell me what is the syntax in PHP to read cookie from subdomain.
If you're enabled to read in other subdomain, it's probably because you didn't properly set the cookie to begin with.
$date_of_expiry=time()+ 3600;
setcookie( "cookie_name", "cookie_value", $date_of_expiry, "/", "example.com" );
It's important that you put the last argument for the cookie to be available in other subdomains.
Also, the cookies must be set before page output.
I use PHP sessions (not cookies, except for session id cookie) for all user data, and when a user goes to their profile user.mydomain.example they are immediately "logged out" until then remove the subdomain.
Is there a way to accept sessions from all domains as long as its *.mydomain.example
Here are 4 options.
Place this in your php.ini:
session.cookie_domain = ".example.com"
Or in your .htaccess:
php_value session.cookie_domain .example.com
Or as the first thing in your script:
ini_set('session.cookie_domain', '.example.com' );
Or in your php-fpm pool configuration for your site:
php_value[session.cookie_domain] = .example.com
if(isset($_COOKIE['session_id']))
session_id($_COOKIE['session_id']);
Zend_Session::start(); //or session_start();
if(!isset($_COOKIE['session_id']))
setcookie('session_id', session_id(), 0, '/', '.yourdomain.example');
security be damned, if you are as frustrated with incomplete or bad answers as I am, this is your savior. It just works.
change the session name at the top of the core functions file
like
session_name('mysession');
then use the following code into the php page
session_set_cookie_params(0,"/",".example.com",FALSE,FALSE);
setcookie(session_name(), session_id(),0,"/","example.com");
session_start();
finally change the default session name of the subdomain and remove the default cookie in subdomain's core functions file
like:
/*default session name*/
session_name("mysession");
/*remove the PHPSESSID and default session name from subdomain's cookie*/
setcookie( "mysession", "",1,"/" );
setcookie( "PHPSESSID", "",1,"/" );
if you continue with using your cookie name as PHPSESSID ,just remove all the functions with
"mysession" string like session_name('mysession'), setcookie( "mysession", "",1,"/" );
then check your browser's existing cookies, just remove all the cookies of domain and subdomain, and repeat the process.
I know this is quite old - but to further expand on #CTT's suggestion - I needed to add a php.ini file in each sub-directory (that will be executing php code and requires the session) of my subdomain with the following text:
suhosin.session.cryptdocroot=Off
suhosin.cookie.cryptdocroot=Off
I hope this helps (it took me ages to figure this out).
Another option that worked for me: is to force the name of the session:
session_name("myWebsite");
session_start();
yes. ini_set is working. but remember to destroy all caches and cookies of the browser to see it works.
destroy all caches and cookies of your browser
in your xxx.example.com and yyy.example.com, your php files should start like this.
ini_set('session.cookie_domain', '.example.com' ); session_start();
I just had this problem and it turns out I was using different php.ini files for two different sub-domains. These ini files specified different session.save_path variables. For obvious reasons this needs to be the same for all sub-domains that need to share sessions.
Before session_start() use session_set_cookie_params() replacing .domain.example with your domain like this example:
session_set_cookie_params(0, '/', '.domain.example');
session_start();
Try This:
session_start();
$sessionId = session_id();
logged the user. When user will switch to other subdomain sent the session id in the URL like this user.mydomain.example/?id=$sessionId
$sessionId = $_GET['id'];
session_start($sessionId);
Now the user will get all the session values and stay logged in.
if(isset($_COOKIE['session_id']))
session_id($_COOKIE['session_id']);
Zend_Session::start(); //or session_start();
if(!isset($_COOKIE['session_id']))
setcookie('session_id', session_id(), 0, '/', '.yourdomain.example');
This is a good solution, but you cannot use it in all situations. For examples it will not work when you cannot rely on not-session cookies.
This actually MUST work if you use it correctly.
ini_set('session.cookie_domain', '.example.com' );
For example you need to put it before session_start() and also in all files that call session_start()
How to get session cookies working / to be accessible under domain and subdomains?
For session cookies you need to override the cookie params:
So you can either use:
ini_set('session.cookie_domain', '.website.com');
or
session_set_cookie_params(0, '/', '.website.com');
The '.' in front makes it accessible under the domain and the subdomains.
Note: you will have to delete all existing cookies from your browser for the domain you're working with so they can be re-initialized properly to work.
If you set the cookie for the "top" domain (example.com), the cookie will also apply to subdomains (sub.example.com, another.example.com).
As an aside, this is the reason why some larger companies use completely separate domains to serve static stuff, like stackoverflow uses http://sstatic.net/
I'm assuming you are using setcookie(). If so just set the cookie for ".domain.com".
setcookie("testcookie", "1", 0, "", ".domain.com");
I use PHP sessions (not cookies, except for session id cookie) for all user data, and when a user goes to their profile user.mydomain.example they are immediately "logged out" until then remove the subdomain.
Is there a way to accept sessions from all domains as long as its *.mydomain.example
Here are 4 options.
Place this in your php.ini:
session.cookie_domain = ".example.com"
Or in your .htaccess:
php_value session.cookie_domain .example.com
Or as the first thing in your script:
ini_set('session.cookie_domain', '.example.com' );
Or in your php-fpm pool configuration for your site:
php_value[session.cookie_domain] = .example.com
if(isset($_COOKIE['session_id']))
session_id($_COOKIE['session_id']);
Zend_Session::start(); //or session_start();
if(!isset($_COOKIE['session_id']))
setcookie('session_id', session_id(), 0, '/', '.yourdomain.example');
security be damned, if you are as frustrated with incomplete or bad answers as I am, this is your savior. It just works.
change the session name at the top of the core functions file
like
session_name('mysession');
then use the following code into the php page
session_set_cookie_params(0,"/",".example.com",FALSE,FALSE);
setcookie(session_name(), session_id(),0,"/","example.com");
session_start();
finally change the default session name of the subdomain and remove the default cookie in subdomain's core functions file
like:
/*default session name*/
session_name("mysession");
/*remove the PHPSESSID and default session name from subdomain's cookie*/
setcookie( "mysession", "",1,"/" );
setcookie( "PHPSESSID", "",1,"/" );
if you continue with using your cookie name as PHPSESSID ,just remove all the functions with
"mysession" string like session_name('mysession'), setcookie( "mysession", "",1,"/" );
then check your browser's existing cookies, just remove all the cookies of domain and subdomain, and repeat the process.
I know this is quite old - but to further expand on #CTT's suggestion - I needed to add a php.ini file in each sub-directory (that will be executing php code and requires the session) of my subdomain with the following text:
suhosin.session.cryptdocroot=Off
suhosin.cookie.cryptdocroot=Off
I hope this helps (it took me ages to figure this out).
Another option that worked for me: is to force the name of the session:
session_name("myWebsite");
session_start();
yes. ini_set is working. but remember to destroy all caches and cookies of the browser to see it works.
destroy all caches and cookies of your browser
in your xxx.example.com and yyy.example.com, your php files should start like this.
ini_set('session.cookie_domain', '.example.com' ); session_start();
I just had this problem and it turns out I was using different php.ini files for two different sub-domains. These ini files specified different session.save_path variables. For obvious reasons this needs to be the same for all sub-domains that need to share sessions.
Before session_start() use session_set_cookie_params() replacing .domain.example with your domain like this example:
session_set_cookie_params(0, '/', '.domain.example');
session_start();
Try This:
session_start();
$sessionId = session_id();
logged the user. When user will switch to other subdomain sent the session id in the URL like this user.mydomain.example/?id=$sessionId
$sessionId = $_GET['id'];
session_start($sessionId);
Now the user will get all the session values and stay logged in.
if(isset($_COOKIE['session_id']))
session_id($_COOKIE['session_id']);
Zend_Session::start(); //or session_start();
if(!isset($_COOKIE['session_id']))
setcookie('session_id', session_id(), 0, '/', '.yourdomain.example');
This is a good solution, but you cannot use it in all situations. For examples it will not work when you cannot rely on not-session cookies.
This actually MUST work if you use it correctly.
ini_set('session.cookie_domain', '.example.com' );
For example you need to put it before session_start() and also in all files that call session_start()