authentication - PHP Sessions across sub domains
Get the solution ↓↓↓Solution:
I do not know if the problem still exists, but I just ran into the same problem and solved it setting a session name before callingsession_set_cookie_params()
:
$some_name = session_name("some_name");
session_set_cookie_params(0, '/', '.example.com');
session_start();
I have changed nothing in myphp.ini
but now everything is working fine.
Answer
Solution:
One thing which can mysteriously prevent session data being read on a subdomain, despite cookies being correctly set to.example.com
is the PHP Suhosin patch. You can have everything configured correctly, as per the examples in the question, and it can just not work.
Turn the following Suhosin session settings off, and you're back in business:
suhosin.session.cryptua = Off
suhosin.session.cryptdocroot = Off
Answer
Solution:
Try using:
session.cookie_domain = "example.com"
Instead of:
session.cookie_domain = ".example.com"
Note the missing period at the beginning.
Answer
Solution:
Had this exact problem - I wanted session values created on x.example.local to be available on example.local and vice-versa.
All solutions I found said to change the Session domain by usingphp_value session.cookie_domain .example.local
in .htaccess (or via php.ini or via ini_set).
The catch was I was setting thesession.cookie_domain
for all subdomains (so far ok) but also for the main domain. Setting thesession.cookie_domain
on the main domain is apparently a no-no.
Basically the way it worked for me:
- set the
session.cookie_domain
for ALL SUBDOMAINS. - don't set it for the main DOMAIN
Oh yes, please make sure the domain has a TLD (in my case .local). Http protocol doesn't allow cookies/sessions to be stored on a domain without .tld (ie localhost won't work, but stuff.localhost will).
EDIT: Also make sure you always clear your browser cookies while testing/debugging sessions across subdomains. If you don't, your browser will always send the old session cookie which probably doesn't have the correct cookie_domain set yet. The server will revive the old session and therefore you'll get false negative results. (in many posts it's mentioned to use session_name('stuff') for the exact same effect)
Answer
Solution:
I solved it like this
ini_set('session.cookie_domain', '.testdomain.example');
session_start();
Because I was working on localhost
ini_set('session.cookie_domain', '.localhost');
wasn't working, it sees .localhost as the toplevel instead of .com/.local/... (I suspect)
Answer
Solution:
I have confirmed. joreon's answer is correct. I cannot comment because my reputation is not enough so I post my comment here.
Define the constant in a config file. If you want to change it, no need to modify whole files.
define('ROOT_DOMAIN', 'mysite.example');
define('PHP_SESSION_NAME', 'MYSITE');
The session name can't consist of digits only, at least one letter must be present. Otherwise, a new session id is generated every time.
Use the following code to start using session
session_name(PHP_SESSION_NAME);
session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
session_start();
I'm using this function:
function load_session() {
if (session_status() == PHP_SESSION_NONE) {
session_name(PHP_SESSION_NAME);
session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
session_start();
} elseif (session_name() != PHP_SESSION_NAME) {
session_destroy();
session_name(PHP_SESSION_NAME);
session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
session_start();
}
}
load_session(); // put it in anywhere you want to use session
Answer
Solution:
Use this , it works:
ini_set('session.cookie_domain',
substr($_SERVER['SERVER_NAME'],strpos($_SERVER['SERVER_NAME'],"."),100));
Answer
Solution:
Sub domain and root domain Cookie Sessions Combined Use
Resource: http://php.net//manual/tr/function.session-set-cookie-params.php
I've tested works
sub.example.com/sessionadd.php?id=123
example.com/sessionview.php // 123
-- Codes
<?php
$currentCookieParams = session_get_cookie_params();
$rootDomain = '.example.com';
session_set_cookie_params(
$currentCookieParams["lifetime"],
$currentCookieParams["path"],
$rootDomain,
$currentCookieParams["secure"],
$currentCookieParams["httponly"]
);
session_name('mysessionname');
session_start();
setcookie($cookieName, $cookieValue, time() + 3600, '/', $rootDomain);
?>
Answer
Solution:
I get the idea that you don't want something like OpenID, like Joel is suggesting, but that you want to have access to the session data across multiple domains.
The only possibility that I can think of as a solution for that problem is to store the sessiondata in a database, and pull it out of that database.
Answer
Solution:
I had a similar problem, however, this solution was good for me, perhaps will help others in the future
edit the php.ini
session.cookie_domain = ".example.com"
the magic is here
suhosin.session.cryptdocroot = Off
suhosin.cookie.cryptdocroot = Off
Answer
Solution:
I can't speak for other versions of PHP, but in 5.6.6, simply setting thesession.cookie_domain
value in thephp.ini
file did the trick to allow all of my subdomains on iPage to share the same set of session variables.
Be sure to remove any existing cookies related to your domain from your browser to test.
session.cookie_domain = '.yourdomainname.example'
Oh, don't know if it makes any difference but I'm also using session autostart.
session.auto_start = 1
Answer
Solution:
Simply try using following code just abovesession_start()
method
$sess_life_time = 21600; //in seconds
$sess_path = "/";
$sess_domain = ".example.com";
$sess_secure = true; // if you have secured session
$sess_httponly = true; // httponly flag
session_set_cookie_params($sess_life_time, $sess_path, $sess_domain, $sess_secure, $sess_httponly);
Answer
Solution:
I have read all answers above, I think my answer is helpful for people googling this:
make sure the browsers send session cookie back to servers (of domain and sub-domains), set session cookie domain as
.example.com
.Make sure PHP find the right "target" to restore the session variable:
- If domain and subdomains point to the same machine (maybe different virtual hosts), make sure
session_save_path
is the same for all (I tested) - If domain and subdomains point to different machines, the common storage (like database) is best for saving and restoring session data (I didn't test yet). Use
session_set_save_handler
to do that.
- If domain and subdomains point to the same machine (maybe different virtual hosts), make sure
Answer
Solution:
I know this is old but this works fine for me with multiple domains and sub domains on the same box.
<?php
define('site_domain','example.com');
session_set_save_handler('_open',
'_close',
'_read',
'_write',
'_destroy',
'_clean');
function _open(){
global $_sess_db;
$db_user = 'user';
$db_pass = 'pass';
$db_host = 'localhost';
if ($_sess_db = mysql_connect($db_host, $db_user, $db_pass)){
return mysql_select_db('database', $_sess_db);
}
return false;
}
function _close(){
global $_sess_db;
return mysql_close($_sess_db);
}
function _read($id){
global $_sess_db;
$id = mysql_real_escape_string($id);
$domain = mysql_real_escape_string(site_domain);
$agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT']));
$sql = "SELECT data
FROM sessions
WHERE id = '$id' AND domain = '$domain' AND agent = '$agent'";
if ($result = mysql_query($sql, $_sess_db)){
if (mysql_num_rows($result)){
$record = mysql_fetch_assoc($result);
return $record['data'];
}
}
return '';
}
function _write($id, $data){
global $_sess_db;
$access = time();
$id = mysql_real_escape_string($id);
$access = mysql_real_escape_string($access);
$data = mysql_real_escape_string($data);
$domain = mysql_real_escape_string(site_domain);
$agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT']));
$sql = "REPLACE INTO sessions
VALUES ('$id', '$access', '$data', '$domain', '$agent')";
return mysql_query($sql, $_sess_db);
}
function _destroy($id){
global $_sess_db;
$id = mysql_real_escape_string($id);
$domain = mysql_real_escape_string(site_domain);
$agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT']));
$sql = "DELETE FROM sessions
WHERE id = '$id' AND domain = '$domain' AND agent = '$agent'";
return mysql_query($sql, $_sess_db);
}
function _clean($max){
global $_sess_db;
$old = time() - $max;
$old = mysql_real_escape_string($old);
$domain = mysql_real_escape_string(site_domain);
$agent = mysql_real_escape_string(isset($_SERVER['HTTP_USER_AGENT']));
$sql = "DELETE FROM sessions
WHERE access < '$old' AND domain = '$domain' AND agent = '$agent'";
return mysql_query($sql, $_sess_db);
}
?>
Answer
Solution:
Use :
session_name("put_a_session_name");
session_start([
"cookie_domain" => ".example.com",
"cookie_path" => "/"
]);
Answer
Solution:
A quick and dirty solution is to use this for your redirect:
header( $url.'?'.session_name().'='.session_id() );
this will add something along the lines of?PHPSESSID=etnm7kbuf5lg0r6tv7je6ehtn4
to the URL, which tells PHP the session id it should use.
Share solution ↓
Additional Information:
Link To Answer People are also looking for solutions of the problem: uncaught error: call to undefined function mysqli_connect()
Didn't find the answer?
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Similar questions
Find the answer in similar questions on our website.
Write quick answer
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.