PHP Sessions across sub domains

Question

I am trying to set up the following:

auth.domain.com
sub1.domain.com
sub2.domain.com

where if the user visits sub1.domain.com or sub2.domain.com and they are not logged in, they get pushed over to auth.domain.com and can log in. sub1.domain.com and sub2.domain.com are two separate applications but use the same credentials.

I tried setting the following in my php.ini:

session.cookie_domain = ".domain.com"

but it doesn't seem to be passing the information from one domain to the other.

[Edit]

I tried the following:

sub1.domain.com/test.php

session_set_cookie_params(0, '/', '.domain.com');
session_start();
print session_id() . "<br>";
$_SESSION['Regsitered'] = 1;
echo '<a href="http://auth.domain.com/test.php"&gt;Change Sites</a>'

auth.domain.com/test.php

session_set_cookie_params(0, '/', '.domain.com');
session_start();
print session_id() . "<br>";
$_SESSION['Checked'] = 1;
print_r($_SESSION);

The session IDs are exactly the same but when I dump out the $_SESSION variable it doesn't show both keys, just whatever key I set under each domain.

[Edit 2]

I updated [Edit]

Answer 1

Try using:

session.cookie_domain = "domain.com"

Instead of:

session.cookie_domain = ".domain.com"

Note the missing period.

Be careful using this, though, because it is not supported by all browsers.

Answer 2

I get the idea that you don't want something like OpenID, like Joel is suggesting, but that you want to have access to the session data across multiple domains.

The only possibility that I can think of as a solution for that problem is to store the sessiondata in a database, and pull it out of that database.

Answer 3

You have to enable it in your code as well, see http://us2.php.net/manual/en/function.session-set-cookie-params.php

Answer 4

A quick and dirty solution is to use this for your redirect:

header( $url.'?'.session_name().'='.session_id() );

this will add something along the lines of ?PHPSESSID=etnm7kbuf5lg0r6tv7je6ehtn4 to the URL, which tells PHP the session id it should use.

Answer 5

When answering we should keep in mind that in the future, others may read the conversation looking for help (without having to ask the same questions again). But I am finding that instead of answering the question "How to make a sessions available across subdomains", we are getting how to send a session ID across domains which doesn't really answer the question.

While the examples can (and do) work for most situations, mine is a little different as the user(s) will not necessarily be following a link to other sub domains. I need it so that user can visit sub1.domain.com, then close browser, and at a later time (before original session expires) go to sub2.domain.com and still be "logged in". This wont work by passing an id in a link, or other.

One question that kind of arose for me out of the comments already posted, how would you save a session ID in SQL DB, and be able to pull the right one out later? I mean, walk it thru with me: The whole thing here is to be able to identify the specific user - so they must be assigned an ID. The Session ID does just that. But most people trying to get cross subdomain sessions dont want their users to login multiple times for each subdomain, which defeats the whole point of having the session in the mysql database because we need to be able to identify the user.

So how is it done? I guess now that I think about it, one idea would be to allow your login script to use $_GET for username / pass, and have the script login on each subdomain via:

$login_sub1 = file_get_contents("sub1.domain.comv"); $login_sub2 = file_get_contents("sub21.domain.comfile_get_contents("sub1.domain.com");

Then you could eregi the pages for success / error messages....but that's a TON of work for such a simple task.

I have been looking at every single result on Google for the last 3 hours and can't figure this out.

I have edited php.ini files, and the php files themselves, I've called my hosting company, I have called friends, I just can't figure this out. But I'll tell you what, if I can figure this out I'll write a step by step guide.

Here is what I have: Apache / PHP with Host Gator (August 21, 2009).

php.ini file in the root of each subdomain and the main domain, each ini file is just about the same.

I have edited lines - session.cookie_domain = .domain.com session.save_path = /home/user/domains/sessions

In sub1.domain.com I have a login that stores the userid in $_SESSION['userid'], and at the top I have: //ini_set("session.cookie_domain", ".domain.com"); session_start();

At sub2.domain.com, I have this at the top: //ini_set("session.cookie_domain", ".domain.com"); session_start(); echo "SESSION USERID: \"".$_SESSION['userid']."\"";

sub2.domain.com will not show anything after logging into sub1.domain.com. I have tried un commenting the ini_set lines, different combinations of stuff...I am missing something important and can't figue out what.

If you have an idea I'd love to hear it. Thanks in advance!!

~John

Answer 6

I don´t know if the problem still exists, but I just ran into the same problem and solved it setting a session name before calling session_set_cookie_params():

$some_name = session_name("some_name");
session_set_cookie_params(0, '/', '.some_domain.com');
session_start();

I have changed nothing in my php.ini but now everything is working fine.

Answer 7

jeroen's answer works. The leading period (before the domain name) is required to indicate you want the session to span multiple subdomains. I can't vote for the answer without an account, so here's hoping I can at least post this comment.

Answer 8

Use this , it works:

ini_set('session.cookie_domain', substr($_SERVER['SERVER_NAME'],strpos($_SERVER['SERVER_NAME'],"."),100));