Why Can't I Pass User Sessions Between Subdomains

Why can't I pass user sessions between subdomains?

I suspect the cookies are being set for .foo.example.com instead of .example.com. Try installing the Live HTTP Headers add-on for Firefox and checking what the cookies are getting set as.

To do this, open Live HTTP Headers and with the window open, go to the page that sets the cookie. In the window, there should be a line that looks like this.

Set-Cookie: lng=en-US; path=/; domain=.example.com;

If the cookie is set for domain=.foo.example.com; then you know what the problem is. However, if the domain is .example.com, something else is going on.

Also, if the cookies are getting set for .example.com on foo.example.com, check to see if the browser is sending cookies to bar.example.com. This should help track down where the problem is.

Can't share PHP sessions between subdomain and main

It is a limitation on Dremhost managed VPS, that don't allow sharing php sessions between virtual hosts (Subdomains). I have switched to another provider and everything works

Correct way to share login sessions across subdomains in Rails 3?

update: the suggested solution is not that ugly after all, ad-exchanges and DSPs/SSPs use the same technique to exchange a visitor's session ID so they can better target the visitor with ads (the next time that visitor pops up in their network again)

---

If you can circumvent the browser cross-domain barrier, you can do it. For example, JSONP is specifically built for this purpose. And yes, session info is always stored centrally, otherwise if you get a request with a session ID of "zigzag", how can you check if it is valid?

"Those" sites that authenticate on login.domain.com might use an ajax proxy, or use other method to get through the cross-domain problem.

The oldest "trick" is to create a hook in your application that looks like an image, as images can be loaded from everywhere.

For example, on login.domain.com you authenticate the user, sent to the server and back with a response, and a cookie will be stored under login.domain.com with the session ID (which is stored in the server as well). Then - from Javascript - you GET an image, with the session ID attached, like http://any.domain.com/path/image.jpg?sessionID=abcd -> any cookies sent back in the response will be stored under any.domain.com

Another solution - which is as ugly as the previous - is to use a hidden iframe to call to any.domain.com (when a successful authentication happens), that request will return a response, and its cookies will be written under the any.domain.com domain.

If you have a multitudes of subdomains, and you can complicate your architecture a bit, I highly advise that you create a proxy, and make it available to every subdomain on the same IP address. Then no matter where the user comes in, the authentication process will always be the same, for every subdomain.

Share session on subdomains in php

My solution was to set a flag in .htaccess like this:

php_flag "suhosin.session.cryptdocroot" 0

And it now works perfectly ;o)

The problem was that Suhosin was installed on the system, and the ini variable

suhosin.session.cryptdocroot = On

encrypted the session files in such a way, that when a different subdomain tried to change the session, it deleted everything for security reasons.

It didn't work for me to set the variable to Off or [nothing] in the ini-file, though maybe I didn't find the right file.

I also tried setting it in PHP without any luck. Like this:

ini_set('suhosin.session.cryptdocroot', 0)

cheers

---

Related Topics