I am trying to share the contents of the session variable across two subdomains but for some reason it is not working.
The sessionid is exactly the same on both subdomains but the variables aren't available.
I can achieve this with Cookies and this is working but would rather use the values in the session.
Here is how I'm setting the domain for the session:
Thanks,
Scott
UPDATE
Sorry should have said, I am already using the following:
ini_set('session.cookie_domain', substr($_SERVER['SERVER_NAME'],strpos($_SERVER['SERVER_NAME'],"."),100));
if(session_id ==''){session_start();}
You are looking for this function: session_set_cookie_params().
Say you have two domains:
site1.example.com
site2.example.com
In order to share your session data across both domains, call the following functiontion before session_start():
session_set_cookie_params(0, '/', '.example.com');
(Edit: indeed I forgot a dot in the example code)
The sessionid is exactly the same on
both subdomains (..)
Are you sure that the value (not the name) of sessionid is the same?
I needed similar thing 2 years ago, but I needed it to work on completely different virtual hosts (e.g., example.com and something.else.net), so I wrote a small script that ensures that user gets the same session_id on different virtual hosts. Source code is available at http://www.misc.lv/_downloads_file.php?id=18, but there's small bug on line 58 - arguments of strpos() should be swapped (I'm too lazy to fix it and upload fixed script).
Basic requirements/steps are:
all pages should be on the same server, as they need a common "storage" for session variables;
there must be one "main" host; there's no limit on a number of "additional" hosts;
if currently opened page is on the "main host" (and it is not a request of session_id), nothing "extraordinary" has to be done;
if page is not on the "main host" and there is an active session, nothing "extraordinary" has to be done, as session_id probably has already been shared;
if page is not on the "main host" and there is no active session, request a session_id from the "main host".
Related
I'm trying to deal with two PHPSESSID cocokies. One uses the www subdirectory - so www.mydomain.com - while the other uses .mydomain.com.
As it stands now the script is able to set the cookie domain, but if another script is ran at the www subdomain before I access mydomain.com, then the cookie is set for www.mydomain.com. Then if I visit mydomain.com a cookie for .mydomain.com is set. This means that I can end up with two PHPSESSID cookies.
Is there a way to be sure of which cookie I'm dealing with in a scenario like this?
I've looked at another post but didn't come away with anything conclusive.
How to handle multiple cookies with the same name?
Why not just change the session cookie name in the php.ini?
session.name = WHATEVER_YOU_LIKE
You should instead redirect all of your traffic to one of the two. This will take care of your issue you are having and take care of duplicate search results. Use either www or no www. Check line 362:
https://github.com/h5bp/html5-boilerplate/blob/master/.htaccess
Unless you have a reason to use both www. and .
Put this at the top of the first php file that runs, like index.php or a config.php file.. before the session starts.
<?php
if(stripos($_SERVER['HTTP_HOST'],'www')===false) {
ini_set('session.cookie_domain', 'site.com');
} else {
ini_set('session.cookie_domain', 'www.site.com');
}
?>
This will cause the cookie to only be associated with 1 or the other domains, meaning that the user can have 2 cookies named PHPSESSID.
I am currently developing two web sites, and debugging them by connecting to localhost.
The first site is referenced with http://localhost/web1 and the second is referenced with http://localhost/web2.
I have created a login script for each in which three domain-specific session variables are set, e.g.:
$_SESSION['web1_user']
$_SESSION['web1_login']
$_SESSION['web1_sessionID']
However, when I log in to both sites on the same browser, then log out of one site (which fires session_destroy(), I am automatically logged out of the second site as well.
Any ideas as to how I might resolve this problem would be very much appreciated. :(
Ahhh, the pleasures of shared hosting!
The best thing to do is simply use a different browser for each site whenever you actually require being logged in to both sites simultaneously...
To explain why this is important, you must understand the following, however:
Session variables are stored on the server, with a keyed reference on the server and a cookie on your browser. Once you unset and destroy either of the two, a match can no longer be made - and your session is gone!
session_start();
session_unset();
session_destroy();
The above will kill all session variables linking the server to your browser (on the server side).
The way to manage this easily is to make session variables into another set of arrays:
$_SESSION["site1"] = array( $user_id, $session_id );
$_SESSION["site2"] = array( $user_id, $session_id );
You could of course make it fancy:
$_SESSION['site3']['userID'] = 'someuserid';
$_SESSION['site3']['sessionid'] = 'somesessionid';
Then when you logout from site 1
session_start();
unset($_SESSION['site1']);
In this case, you have created a separate session management system for each site (using a two-dimensional array, the top layer of which is keyed by your site's identifier). This makes it so that each site manages a separate set of session variables - and when you destroy one, you do not touch the others.
However, I realllllllllly recommend using different browsers instead (or in addition)...
I recently solved a problem which is related to your question. Originally, I was looking for an implementation similar to what you are describing, and after doing quite a bit of searching around - this is what I came up with:
Site 1 :
ini_set("session.cookie_domain", "yourdomainname");
$some_name = session_name("some_name");
$domain = 'your domain name';
session_set_cookie_params(0, "/", $domain);
session_start();
$_SESSION['user']=$_POST['user'];
$_SESSION['password']=$_POST['password'];
Site 2 :
$some_name = session_name("some_name");
ini_set('session.cookie_domain', 'yourdomainname');
session_start();
echo $_SESSION['user'];
echo $_SESSION['password'];
This change worked well for me - and my guess is that it will also help you.
Use
session_name('web1');
before session_start();
Set a different session name in each app, either via session_name() or via session.name.
you can use this
ini_set("session.cookie_domain", ".example.com");
You need to make a different host for different site
in this case you have two site running on same host called localhost so for same host name sessions are shared.
Include the file with the session start in the second domain.
web1 contains the session start file, web2 include('../web1/session.php');
You can use different session name in all website like for first website you have used $_SESSION['web1_user'], $_SESSION['web1_login'], $_SESSION['web1_sessionID'] then second website you can use $_SESSION['web2_user']
I have already face this problem and solved it using different name of session.
Bez sessions are shared in the same browser, so if you logout from one tab, the other tabs will be logged out,
Example: I login in Chrome, and I open in another Chrome, the Sessions are shared, so if i logout from one, the other one gets logged out automatically!
I like to use PHP to see if a cookie PHPSID27258STATUS is present with the value COMPLETE en if so do stuff.
In google chrome (in Options) I can see this cookie is present and has the value COMPLETE.
If I run this PHP script I get 'Not Set'. What am I doing wrong here?
$cookiename="PHPSID27258STATUS";
if (isset($_COOKIE[$cookiename]) && $_COOKIE[$cookiename] == "COMPLETE")
--update
The cookie is set by "limesurvey" an open source survey platform. Although its probably not the best way. I use limesurvey to have a small survey (iframe) on an site i'm building. I like to let the survey disappear on the next visit when it has bin posted.
Limesurvey runs from the same host (localhost now). And is in a sub directory of the site.
I guess (but there's a lot of code in LS) this is how the cookie is made after an poll/post is completed.
$cookiename="PHPSID".returnglobal('sid')."STATUS";
setcookie("$cookiename", "COMPLETE", time() + 31536000); //Cookie will expire in 365 days
You can only read cookies which belong to the same domain as the reading script. For instance if the cookie PHPSID27258STATUS was set by domain xyz.com, you can not read it using a script on abc.com. So make sure the domain of your desired cookie is the same. Also show us the code part where you are setting your cookie.
Edit:
setcookie($cookiename, "COMPLETE", (time() + 31536000) , '/');
Try setting the cookie with this code:
setcookie("cookiename", "cookievalue", time() + 31536000, "/");
This makes the cookie available to the whole domain, I recently encountered the same issue and when I tried this, it made it work, the reason is, your browser stores cookies for both domain.com and www.domain.com so you never know which your setting and getting from, it's good practice to set the domain even if you don't have this problem.
You cannot access a cookie immediately after you set it. At least last time it was like that. Make sure you do not have this issue. If it is not may be you have a problem setting the cookie, and in that case please post that part as well.
You mention that the cookie is set by a program running in its own sub-directory. You don't mention whether the cookie itself is set to be in that sub-directory, but I suspect this is where your problem is.
If a cookie is set to a path, then it will only be accessible to pages within that path. This behaviour is described in the PHP setcookie() manual page.
When you're setting cookies from a page within a sub-directory, then in order for the cookie to be accessible to the whole site, setcookie() needs to be called with the optional path parameter set to "/".
You state that the cookie is being set by LimeSurvey. I don't know this software, but you should be able to look at the source and see whether it's using the path parameter when it sets the cookie. If not, your best option would be to modify it so that it does. Then the cookie will be accessible to the whole site. (It would be quite understandable if the LineSurvey developers had chosen not to set it for the whole site, because it would allow the software to be run as a more isolated entity from anything else on the site).
I was brought aware of this issue by some users on my website. A user many enter into their browser http://xxxx.com and then login. Then they may click on a link that brings them to http://www.xxxx.com it asks them to login again! Is this a known issue that anyone has encountered before? I tried googling it but im not sure if im using the wrong keywords or what because i cannot find anything related to this.
Thanks,
Ian McCullough
As far as your browser is concerned, www.xxxx.com and xxxx.com are different domains. The same-origin policy prevents accessing cookies across domains.
However, the browser is aware of subdomains, and a subdomain can access the cookies of a parent domain. So, if you want to make your cookie accessible to both xxxx.com and www.xxxx.com, just set your cookie on .xxxx.com and you'll be set.
When you set a cookie, you can optionally specify which domain the cookie is set for. If you don't, the cookie is particular to that hostname only, and thus if the cookie is set on www.example.com, it will only be returned by the browser on that hostname or below.
If, when setting the cookie, you set the domain to "example.com" it should work also on "www.example.com".
The problem is that the more specific cookie will override the less specific one, so if you've previously set a cookie on "www.example.com" it will continue to override the new one set for "example.com", rather than being replaced by it - you would first have to delete the one set for "www.example.com". It gets tricky since when the client returns a cookie to the server it doesn't say which hostname the cookie was set for.
People seem to be assuming you're using a cookie to perform authentication but are skipping what appears to be your root question. Trevor briefly touched on it, but still kept to the cookie concept. As far as http is concerned, www.xxxx.com and xxxx.com are different subdomains on the same top level domain. Hence, while they may be the same ip, same website, same everything, the browser request and the server's response are considered to be 2 separate domains/sites. Sessions are not shared across subdomains unless you have a separated session state (such as a SQL Session store, etc).
However, if you are using cookies for authentication, you can add a check for the cookie and rebuild a fresh session if the data in the cookie is valid (and sufficient to reconstruct session). Otherwise you'll have to separate session state from the process into a data store.
Check the domain of the cookie, when creating a cookie you can specify if it is for all sub domains, the root server, specific sub domain, etc. To handle all, the cookie would be for .example.com
i am using php 5.2.8
i have index.html, which loads LOAD.PHP from IFRAME.
iframe src="load.php".....
i printed out load.php's session id.
then i ran another test.php, and printed out it's session id.
php session id's were different.
therefore, i cannot pass any session variables....
what is happening here ? this problem did not happen before, suddenly today it started happening.... however this problem still exists....its driving me nuts !
session.saved_path is same for both.... /var/php5, cookie path is same...
If PHP is creating a second session ID on the second load of the page, then it means that the first one was not passed back properly. Likely, the cookie is not being set for some reason. Things to check:
Test in multiple browsers?
Did you disable cookies in your browser somehow?
Is the iframe on a different domain or subdomain that might prevent cookie passing?
Install LiveHTTPHeaders or some other firefox add-in to check the cookies you are receiving
http://www.example.com will have a different sessionID than http://example.com
(not really an answer as your questions doesn't seem to me to have enough data to provice a certain answer, but rather a few things to check about)
The files are in the same domain and directory and the cookie are not limited to a different directory (i.e. path=/)? (note: they're not limited unless you tell that explicitly with session_set_cookie_params)
Is the browser sending the cookie (or are you maybe in "incognito mode")? If cookies don't work PHP will probably try to pass Session IDs in the QueryString and fail, if you go to test.php writing its name manually and not following a link (usually I use session.use_only_cookies=1 to avoid that).
They will have different SID if they have different cookie domain or cookies are not working at all and PHP is configured to use only cookies for session ID (session.use_only_cookies=1).
Cookies domain is explained here
Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".
The default value of domain is the host name of the server which generated the cookie response.
So set a common domain for your hosts and they will share cookies, thus PHP SID :)