PHP Sessions across sub domains

前端 未结 17 1483
慢半拍i
慢半拍i 2020-11-22 05:59

I am trying to set up the following:

auth.example.com
sub1.example.com
sub2.example.com

If the user visits sub1.example.com or

相关标签:
17条回答
  • 2020-11-22 06:29

    I can't speak for other versions of PHP, but in 5.6.6, simply setting the session.cookie_domain value in the php.ini file did the trick to allow all of my subdomains on iPage to share the same set of session variables.

    Be sure to remove any existing cookies related to your domain from your browser to test.

    session.cookie_domain = '.yourdomainname.example'
    

    Oh, don't know if it makes any difference but I'm also using session autostart.

    session.auto_start = 1
    
    0 讨论(0)
  • 2020-11-22 06:31

    One thing which can mysteriously prevent session data being read on a subdomain, despite cookies being correctly set to .example.com is the PHP Suhosin patch. You can have everything configured correctly, as per the examples in the question, and it can just not work.

    Turn the following Suhosin session settings off, and you're back in business:

    suhosin.session.cryptua = Off 
    suhosin.session.cryptdocroot = Off
    
    0 讨论(0)
  • 2020-11-22 06:34

    Try using:

    session.cookie_domain = "example.com"
    

    Instead of:

    session.cookie_domain = ".example.com"
    

    Note the missing period at beginning.

    Be careful using this, though, because it is not supported by all browsers.

    0 讨论(0)
  • 2020-11-22 06:37

    Had this exact problem - I wanted session values created on x.example.local to be available on example.local and vice-versa.

    All solutions I found said to change the Session domain by using php_value session.cookie_domain .example.local in .htaccess (or via php.ini or via ini_set).

    The catch was I was setting the session.cookie_domain for all subdomains (so far ok) but also for the main domain. Setting the session.cookie_domain on the main domain is apparently a no-no.

    Basically the way it worked for me:

    • set the session.cookie_domain for ALL SUBDOMAINS.
    • don't set it for the main DOMAIN

    Oh yes, please make sure the domain has a TLD (in my case .local). Http protocol doesn't allow cookies/sessions to be stored on a domain without .tld (ie localhost won't work, but stuff.localhost will).

    EDIT: Also make sure you always clear your browser cookies while testing/debugging sessions across subdomains. If you don't, your browser will always send the old session cookie which probably doesn't have the correct cookie_domain set yet. The server will revive the old session and therefore you'll get false negative results. (in many posts it's mentioned to use session_name('stuff') for the exact same effect)

    0 讨论(0)
  • 2020-11-22 06:37

    I get the idea that you don't want something like OpenID, like Joel is suggesting, but that you want to have access to the session data across multiple domains.

    The only possibility that I can think of as a solution for that problem is to store the sessiondata in a database, and pull it out of that database.

    0 讨论(0)
提交回复
热议问题