Sharing PHP Session ($_Session) Across Multiple Domain

Sharing php Session ($_SESSION) across multiple domain

Considering your original question and your answers to Logan and myself in the comments of the original question I understand:

1 - you want to pass the session variables among a domain and its subdomains; and

2 - CI and Symfony load the session before you have a chance to do the ini_set command.

I believe you have two options:

1 - include the php configuration command in the php.ini file

session.cookie_domain=".foo.com"

If you try including it in the .htaccess it will not work if you are running php as a CGI module, which seems to be fairly common among shared hosting services.

2 - you can prepend a file to all php scripts in your site. Those will be put on top of every single php script your site runs, even the ones inside CI and Symfony. For example:

phpprepend.php file

<?php
ini_set('session.cookie_domain', '.foo.com');
?>

include the following line in your php.ini file:

auto_prepend_file = "/path/to/file/phpprepend.php"

Please let us know if this solves the problem.

Good luck!

Preserving session variables across different domains

Cross-domain session ids

Session ids are passed around using cookies by default. Since your websites are on different domains the session cookie does not transfer over, so that's one thing that prevents cross-domain sessions from working.

One technique to have the session ids transfer over is to append them to the query string of all your requests (PHP even has some degree of built-in support for this). However, this way of doing things has many drawbacks -- the most important being that people copy/paste URLs all the time, with all that implies about revealing valid and reusing invalid session ids -- and therefore is not recommended.

A much better approach would be to use Javascript to make cross-domain requests across all of the interested domains (which would need to be cooperating in this of course). This way you can seamlessly transfer your session id across as many servers as you need to.

Shared session data

Even if the cookie were not a problem, you would need to have the session data on some storage commonly accessible by all your servers. The default storage is the local filesystem, so again this is something that needs to change if you want cross-domain sessions.

A simple solution to this problem would be to use a custom session handler that stores the data on a database or other globally accessible store.

Laravel: share session data over multiple domains

  1. Capture the session id Session::getId() in Domain A
  2. send the captured session id via HTTP POST to Domain B
  3. Access the sent session id in domain B $sessionid_from_domainA = $_POST['session_from_A']
  4. Set session in domain B Session::setId($sessionid_from_domainA)
  5. Start Session in domain B Session::start()

PHP Sessions across domains and shared multiple domains

What you can do is pass the session directly in the URL. So when you link to domain2.com you pass the session like so (assuming you haven't changed your session ID handler from the default)

domain2.com?PHPSESSID=[your session ID here]

While there are some potential security risks (I would regenerate IDs at key points if I were you), it could solve your problem.

Another solution would be to hash the session ID and store that in your Redis instance, then set the session based on that hash. A bit more secure that way.

How do I share a session across two domains with Cake's database session handling?

All I had to do on Server B was properly re-initialize the session. Pretty basic:

session_write_close(); // close any session that has already initialized
CakeSession::id($sid_from_server_a); // or: session_id($sid_from_server_a);
session_start();

I assumed before that all I needed was that second line, that setting the new sid in the CakeSession wrapper would prompt the session to start. But it is more akin to running session_id($some_sid) the old PHP way... you can do this to set up the session before actually starting it.

In general I had some vague notion that CakePHP would automagically start the session when I wanted, but really scanning the CakeSession class shows it doesn't do much -- it is a thinly veiled convenience wrapper for native PHP session handling.

I didn't even have to parse out the pseudo-serialized session data in the sessions DB table and all that jazz -- totally unnecessary. The code above does the trick: cross-domain session sharing.

Maintaining Session Variables across Subdomains

Ok I nailed it and it was a stinker.

Suhosin's suhosin.session.cryptdocroot option was the entire cause of the problem. When the session encryption key is based on the DocRoot it causes the subdomains to fail to see each other's session variables when the base domain and the subdomains are served from different directories. This leads to the session vars on the server being stored in different folders and hence they are not visible to each of the corresponding domains.

Solution. Simply add these 2 lines in your php.ini file:

suhosin.session.cryptdocroot=Off
suhosin.cookie.cryptdocroot=Off

A 48 hour nightmare to track down, 4.8 seconds to fix.


Related Topics

Alternative for $_Server['Http_Referer'] PHP Variable in Msie

PHP Ternary Operator Clarification

Does the Use Keyword in PHP Closures Pass by Reference

PHP Force Refresh Image

Can't Install Xdebug on Windows

How to Run from PHP a Bash Script Under Root User

Access JSON Object Name in PHP

Differences Between a While Loop and a for Loop in PHP

PHP Replace All Spaces with Hyphens

PHP - Upload Picture and Display on Page

Php: How to Load the Content of a Web Page into a Variable

Import Class Conditionally with the Keyword 'Use'

Htaccess Is Not Working After Moving from Xampp to Lamp on Ubuntu 13.10 (Enable Htaccess in Apache Linux Server)

Why Don't PHP and JavaScript's Timestamps Match

Laravel 5: Sending Email

Find or Create with Eloquent

Set Woocommerce Cart Expiration

Differencebetween Crc32 and Crc32B


Leave a reply



Submit