Sharing Session Variables Between Multiple Subdomains

PHP - Sharing session between multiple subdomains

Problem found:

My subdomains are on different apache servers so sessions vars can't be shared. I'll use database storage with unique vars in cookies to share my variables.

Sharing session variables in PHP between subdomains

The only way I can think of to do this would be to save the session data to a cookie, then open the cookie when the other domain is accessed. You can read how to do this here: http://www.depiction.net/tutorials/php/cookies-session-variables.php

Out of curiosity, why do you want to do this?

Sharing session between multiple subdomains

To share sessions across sub-domains, you need to configure two things.

1. You need the proper cookie settings for the session cookie so that the browser will send the same session cookie to both sub-domains. This involves setting the domain attribute on the cookie to the root domain. You can set this in the cookie options for the express-session configuration.

2. You need to make sure that the server for each sub-domain has access to the same session store. If it's actually the same server for each sub-domain, then that's easy. But, if it's a different server, then you will need a shared session store, using some type of shared database (redis, mongodb, etc...). There are session store implementations for many different databases.

Maintaining Session Variables across Subdomains

Ok I nailed it and it was a stinker.

Suhosin's suhosin.session.cryptdocroot option was the entire cause of the problem. When the session encryption key is based on the DocRoot it causes the subdomains to fail to see each other's session variables when the base domain and the subdomains are served from different directories. This leads to the session vars on the server being stored in different folders and hence they are not visible to each of the corresponding domains.

Solution. Simply add these 2 lines in your php.ini file:

suhosin.session.cryptdocroot=Off
suhosin.cookie.cryptdocroot=Off

A 48 hour nightmare to track down, 4.8 seconds to fix.

Share session on subdomains in php

My solution was to set a flag in .htaccess like this:

php_flag "suhosin.session.cryptdocroot" 0

And it now works perfectly ;o)

The problem was that Suhosin was installed on the system, and the ini variable

suhosin.session.cryptdocroot = On

encrypted the session files in such a way, that when a different subdomain tried to change the session, it deleted everything for security reasons.

It didn't work for me to set the variable to Off or [nothing] in the ini-file, though maybe I didn't find the right file.

I also tried setting it in PHP without any luck. Like this:

ini_set('suhosin.session.cryptdocroot', 0)

cheers

Share session data between 2 subdomains

Set the sessionCookieDomain attribute of <Context> element of the webapp in question to .mydomain.com (note the leading dot, this is very important). This will allow the webbrowser to share cookies among all subdomains.

If you actually have multiple webapp contexts and you want to share the session between them as well, then you also need to set sessionCookiePath attribute of <Context> element of the webapps in question to /.

In a nutshell:

<Context sessionCookieDomain=".mydomain.com" sessionCookiePath="/">

See also:

• Tomcat 7 configuration reference - The Context container

---

For Tomcat 6 users: note that this was introduced in Tomcat 6.0.27. For those who can't upgrade, you would need a Valve to modify the cookie domain, eventually in combination with emptySessionPath attribute in <Connector> element in /conf/server.xml for the case that you've multiple webapp contexts for which you'd like to share the session.

---

Related Topics