PHP - same server, different domains require different sessions.

views:

450

answers:

+1 Q:

PHP - same server, different domains require different sessions.

Hello,

I'm implementing login and registration for multiple domains that talk to a single database - we'll call them i.domain-a.com and i.domain-b.com. Both these subdomains have A records in the DNS that point to a single server - thus making i.domain-a.com/hello.php and i.domain-b.com/hello.php run the same thing.

So, if I create a session on domain A, then I can go to domain B and retrieve the same session information. To implement completely separate login systems for both of them that utilise the same PHP functions I have written to handle registration, should I do something with session_name() based on $_SERVER['HTTP_HOST']? I'm not sure how similar my situation is to this guy, and hope this question isn't too similar.

No. The mechanism that stops different users getting the same session works on a per server basis, not a per hostname basis.

David Dorward 2010-02-10 13:13:20

Therefore, with that in mind, is it safe to do `session_name($_SERVER['HTTP_HOST']);` before `session_start();` to separate the sessions for each domain on the same server?

Sam Starling 2010-02-10 13:20:42

I've also realised that implementing the above causes a new ID to be generated every visit, which isn't ideal. I want the same ID until the session expires or is destroyed. Apologies for such rapid replies...

Sam Starling 2010-02-10 13:25:55

+1 A:

Sessions/cookies are domain-specific and don't rely on DNS settings. If you want both system's sessions to be separate while they live on separate domains you're already all set.

I believe session_name() would've actually been the best solution for that other guy's question, two separate sessions on the same domain.

Cryo 2010-02-10 13:15:33

Thanks. I've got a debug page which simply shows the session ID at the moment, if I go to `i.domain-a.com/session.php` and `i.domain-a.com/session.php`, I see the same thing. If I do `session_name($_SERVER['HTTP_HOST']);` before `session_start();` then I get different IDs for each domain.

Sam Starling 2010-02-10 13:18:59

That's because i.domain-a.com/session.php and i.domain-a.com/session.php are the same page.

David Dorward 2010-02-10 13:26:04

Session IDs are server specific however cookies are domain specific. The user's cookies (one for each domain) will each be pointing to unique session IDs thus avoiding any overlap. Try setting up a script that sets a session variable and a script that displays that variable. Run the first from one domain and the second from the other, the second should never get the first's values until it's run from the same domain.

Cryo 2010-02-10 13:28:11

The second domain should read domain-b.

Sam Starling 2010-02-10 13:28:16

If someone were to manually pass the session ID into the PHP scripts they could (and you could if you wanted to provide this feature) transfer a session's data across domains. To completely prevent this you could definitely use your session_name()/HTTP_HOST combination.

Cryo 2010-02-10 13:30:30

To avoid problems with sessions you should use the session_name('myapplication') [ session_name({UNIQUE_APP_ID}) ].

The problem you are mentioning can occur in more simple situations where there is an administration panel and a sign-in form for the users of the web site.

If session_name is not used a signed-in user could have access to the admin. panel but this depends on the auth. scheme and mechanism you have implemented.

regards,

andreas 2010-02-10 13:39:37

ansaurus

tags:

views:

answers:

PHP - same server, different domains require different sessions.

related questions