PHP Multi-Domain Sessions; ini_set Not Working?

Question

I'm trying to set it up so if you log in to my website the session carries over to all sub-domains of my website. For example, if you go to domain.com and log in, then go to sub.domain.com, you'll already be logged in at sub.domain.com.

To my understanding, you would want to use ini_set('session.cookie_domain','.domain.com') and then session_start(), then set your session variables, but this isn't working.

Example of what I'm doing:

Code for domain.com:

<?php
 ini_set('session.cookie_domain','.domain.com');
 session_start();
 $_SESSION['variable'] = 1;
?>

Code for sub.domain.com:

<?php
 session_start();
 echo $_SESSION['variable'];
?>

But $_SESSION['variable'] isn't set.

I've also tried using ini_set() in the sub.domain.com code, but it made no difference. I've verified that setting session.cookie_domain is working by using ini_get().

What am I doing wrong? Thanks!

Answer 1

First verify the ini_set

<?php
ini_set('session.cookie_domain','.domain.com');

echo ini_get('session.cookie_domain');

session_start();  
$_SESSION['variable'] = 1; 

?> 

---

Update:

Just thought about it.. Did you also try:

<?php

session_set_cookie_params( 0, "/", ".domain.com", false, false); 
session_start();  
$_SESSION['variable'] = 1; 

?> 

---

Update 2: ALternate handling (manual cookie handling)

<?php

session_start();  
session_regenerate_id();
$_SESSION['variable'] = "String Test";

setcookie('PHPSESSID',session_id(),time()+86400,'/','.domain.com');
echo session_id();
?> 

and in the subdomain file

<?php  
if (isset($_COOKIE['PHPSESSID']) && !empty($_COOKIE['PHPSESSID'])) session_id($_COOKIE['PHPSESSID']);

session_start();  
echo $_SESSION['variable'] . "<br />"; 
echo $_COOKIE['PHPSESSID'] . "<br />";
echo session_id();
?> 

---

Three lines you could add to every file to hand off / handle session info

if (isset($_COOKIE['PHPSESSID']) && !empty($_COOKIE['PHPSESSID'])) session_id($_COOKIE['PHPSESSID']);
session_start();  
if (!isset($_COOKIE['PHPSESSID'])) setcookie('PHPSESSID',session_id(),time()+86400,'/','.domain.com');

What info are you passing through the session? Or are you using it to handle logins, etc?

Answer 2

Well, if all else fails, you could implement your own sessions - all $_SESSION is in PHP is a wrapper around a cookie set/get and a file-backed datastore. If you store a cookie manually with an identifier and then associate data with that identifier (say, in a DB, even), you can get essentially the same functionality (serialize() may help if you want to store a bunch of varying session data).

Answer 3

I know it's late after the question, but seeing this is the only proper answer I found and people are going to use it since the answer is voted up, I wanted to note that it is a session hack waiting to happen. So a solution for this:

define("ENCRYPTION_KEY", "whatever you want to use as key"); // encryption key
if (isset($_COOKIE['SessionEncrypt']) && !empty($_COOKIE['SessionEncrypt'])) {
    //echo "get cookie: ".$_COOKIE['SessionEncrypt']; //urldecode(decrypt($_COOKIE['SessionEncrypt'], ENCRYPTION_KEY));
    session_id(decrypt(urldecode($_COOKIE['SessionEncrypt']), ENCRYPTION_KEY));
    //session_id($_COOKIE['SessionEncrypt']);
}
session_start();
setcookie('SessionEncrypt',urlencode(encrypt(session_id(), ENCRYPTION_KEY)),time()+86400,'/','yourdomain.com'); // will work cross subdomain

To encrypt/decrypt (found it here somewhere, works like a charm):

function encrypt($pure_string, $encryption_key) {
    $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    $encrypted_string = mcrypt_encrypt(MCRYPT_BLOWFISH, $encryption_key, utf8_encode($pure_string), MCRYPT_MODE_ECB, $iv);
    return $encrypted_string;
}

function decrypt($encrypted_string, $encryption_key) {
    $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    $decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH, $encryption_key, $encrypted_string, MCRYPT_MODE_ECB, $iv);
    return $decrypted_string;
}

This way nobody can read the session in the cookie. Cause you don't have to be a genius to insert a cookie in your browser. With this, people tend to forget that sessions are in fact readable from a server. If your browser can reach it, so can other programs.