PHP Sessions across sub domains

2018-12-31 07:21发布

站内问答 / PHP
1733 16 4

I am trying to set up the following:

auth.domain.com
sub1.domain.com
sub2.domain.com

where if the user visits sub1.domain.com or sub2.domain.com and they are not logged in, they get pushed over to auth.domain.com and can log in. sub1.domain.com and sub2.domain.com are two separate applications but use the same credentials.

I tried setting the following in my php.ini:

session.cookie_domain = ".domain.com"

but it doesn't seem to be passing the information from one domain to the other.

[Edit]

I tried the following:

sub1.domain.com/test.php

session_set_cookie_params(0, '/', '.domain.com');
session_start();
print session_id() . "<br>";
$_SESSION['Regsitered'] = 1;
echo '<a href="http://auth.domain.com/test.php">Change Sites</a>'

auth.domain.com/test.php

session_set_cookie_params(0, '/', '.domain.com');
session_start();
print session_id() . "<br>";
$_SESSION['Checked'] = 1;
print_r($_SESSION);

The session IDs are exactly the same but when I dump out the $_SESSION variable it doesn't show both keys, just whatever key I set under each domain.

[Edit 2]

I updated [Edit]

16条回答
唯独是你
2楼-- · 2018-12-31 07:33

I have confirmed. joreon's answer is correct. I cannot comment because my reputation is not enough so I post my comment here.

Define the constant in a config file. If you want to change it, no need to modify whole files.

define('ROOT_DOMAIN',   'mysite.com');
define('PHP_SESSION_NAME', 'MYSITE');

The session name can't consist of digits only, at least one letter must be present. Otherwise a new session id is generated every time.

Use the following code to start using session

session_name(PHP_SESSION_NAME);
session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
session_start();

I'm using this function:

function load_session() {
    if (session_status() == PHP_SESSION_NONE) {
        session_name(PHP_SESSION_NAME);
        session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
        session_start();
    }
    else {
        if (session_name() != PHP_SESSION_NAME) {
            session_destroy();
            session_name(PHP_SESSION_NAME);
            session_set_cookie_params(0, '/', '.' . ROOT_DOMAIN);
            session_start();
        }
    }
}
load_session(); // put it in anywhere you want to use session
查看更多
0人赞 添加讨论(0) 举报
泪湿衣
3楼-- · 2018-12-31 07:35

Had this exact problem - I wanted session values created on x.example.local to be available on example.local and vice-versa.

All solutions I found said to change the Session domain by using php_value session.cookie_domain .example.local in .htaccess (or via php.ini or via ini_set).

The catch was I was setting the session.cookie_domain for all subdomains (so far ok) but also for the main domain. Setting the session.cookie_domain on the main domain is apparently a no-no.

Basically the way it worked for me:

  • set the session.cookie_domain for ALL SUBDOMAINS.
  • don't set it for the main DOMAIN

Oh yes, please make sure the domain has a TLD (in my case .local). Http protocol doesn't allow cookies/sessions to be stored on a domain without .tld (ie localhost won't work, but stuff.localhost will).

EDIT: Also make sure you always clear your browser cookies while testing/debugging sessions across subdomains. If you don't, your browser will always send the old session cookie which probably doesn't have the correct cookie_domain set yet. The server will revive the old session and therefore you'll get false negative results. (in many posts it's mentioned to use session_name('stuff') for the exact same effect)

查看更多
0人赞 添加讨论(0) 举报
时光乱了年华
4楼-- · 2018-12-31 07:35

Sub domain and root domain Cookie Sessions Combined Use

Resource: http://php.net//manual/tr/function.session-set-cookie-params.php

I've tested works

sub.exampledomain.com/sessionadd.php?id=123

exampledomain.com/sessionview.php // 123

-- Codes

<?php 
$currentCookieParams = session_get_cookie_params(); 

$rootDomain = '.example.com'; 

session_set_cookie_params( 
    $currentCookieParams["lifetime"], 
    $currentCookieParams["path"], 
    $rootDomain, 
    $currentCookieParams["secure"], 
    $currentCookieParams["httponly"] 
); 

session_name('mysessionname'); 
session_start(); 

setcookie($cookieName, $cookieValue, time() + 3600, '/', $rootDomain); 
?>
查看更多
0人赞 添加讨论(0) 举报
浮光初槿花落
5楼-- · 2018-12-31 07:36

I can't speak for other versions of PHP, but in 5.6.6, simply setting the session.cookie_domain value in the php.ini file did the trick to allow all of my subdomains on iPage to share the same set of session variables.

Be sure to remove any existing cookies related to your domain from your browser to test. 

session.cookie_domain = '.yourdomainname.org'

Oh, don't know if it makes any difference but I'm also using session autostart. 

session.auto_start = 1
查看更多
0人赞 添加讨论(0) 举报
初与友歌
6楼-- · 2018-12-31 07:37

A quick and dirty solution is to use this for your redirect:

header( $url.'?'.session_name().'='.session_id() );

this will add something along the lines of ?PHPSESSID=etnm7kbuf5lg0r6tv7je6ehtn4 to the URL, which tells PHP the session id it should use.

查看更多
0人赞 添加讨论(0) 举报
笑指拈花
7楼-- · 2018-12-31 07:38

One thing which can mysteriously prevent session data being read on a subdomain, despite cookies being correctly set to .domain.com is the PHP Suhosin patch. You can have everything configured correctly, as per the examples in the question, and it can just not work.

Turn the following Suhosin session settings off, and you're back in business:

suhosin.session.cryptua = Off 
suhosin.session.cryptdocroot = Off
查看更多
0人赞 添加讨论(0) 举报
1 2 3 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)