PHP Multi-Domain Sessions; ini_set Not Working?

Question

I'm trying to set it up so if you log in to my website the session carries over to all sub-domains of my website. For example, if you go to domain.com and log in, then go to sub.domain.com, you'll already be logged in at sub.domain.com.

To my understanding, you would want to use ini_set('session.cookie_domain','.domain.com') and then session_start(), then set your session variables, but this isn't working.

Example of what I'm doing:

Code for domain.com:

<?php
 ini_set('session.cookie_domain','.domain.com');
 session_start();
 $_SESSION['variable'] = 1;
?>

Code for sub.domain.com:

<?php
 session_start();
 echo $_SESSION['variable'];
?>

But $_SESSION['variable'] isn't set.

I've also tried using ini_set() in the sub.domain.com code, but it made no difference. I've verified that setting session.cookie_domain is working by using ini_get().

What am I doing wrong? Thanks!

ini_set doesnt really matter with shared hosts.. (as in its not usually disabled..) — CarpeNoctumDC, Jan 08 '11 at 01:46

CarpeNoctumDC · Accepted Answer · 2011-01-08T02:50:44.673

4

First verify the ini_set

<?php
ini_set('session.cookie_domain','.domain.com');

echo ini_get('session.cookie_domain');

session_start();  
$_SESSION['variable'] = 1; 

?>

Update:

Just thought about it.. Did you also try:

<?php

session_set_cookie_params( 0, "/", ".domain.com", false, false); 
session_start();  
$_SESSION['variable'] = 1; 

?>

Update 2: ALternate handling (manual cookie handling)

<?php

session_start();  
session_regenerate_id();
$_SESSION['variable'] = "String Test";

setcookie('PHPSESSID',session_id(),time()+86400,'/','.domain.com');
echo session_id();
?>

and in the subdomain file

<?php  
if (isset($_COOKIE['PHPSESSID']) && !empty($_COOKIE['PHPSESSID'])) session_id($_COOKIE['PHPSESSID']);

session_start();  
echo $_SESSION['variable'] . "<br />"; 
echo $_COOKIE['PHPSESSID'] . "<br />";
echo session_id();
?>

Three lines you could add to every file to hand off / handle session info

if (isset($_COOKIE['PHPSESSID']) && !empty($_COOKIE['PHPSESSID'])) session_id($_COOKIE['PHPSESSID']);
session_start();  
if (!isset($_COOKIE['PHPSESSID'])) setcookie('PHPSESSID',session_id(),time()+86400,'/','.domain.com');

What info are you passing through the session? Or are you using it to handle logins, etc?

edited Jan 08 '11 at 02:50

answered Jan 08 '11 at 01:59

CarpeNoctumDC

1,760
1
12
16

Thanks for the suggestion, but it checks out. It returns exactly what I set, so I guess ini_set() isn't disabled on my host. – SumWon Jan 08 '11 at 02:03
Yes, I also tried session_set_cookie_params, but it didn't work either :/. I also tried setting it via .htaccess and using php_value. – SumWon Jan 08 '11 at 02:06
If all else fails, just processess the info manually (see Update 2) – CarpeNoctumDC Jan 08 '11 at 02:37
The sessions are being used for handling logins. Thanks for the suggestions! As I can't seem to get anything else to work, I'll look into manually handing the cookies. – SumWon Jan 08 '11 at 03:14
I would suggest using a user session class then... Most of them are redundant and do not rely on cookies.... – CarpeNoctumDC Jan 08 '11 at 03:41

score 1 · Answer 2 · answered Jan 08 '11 at 01:40

Well, if all else fails, you could implement your own sessions - all $_SESSION is in PHP is a wrapper around a cookie set/get and a file-backed datastore. If you store a cookie manually with an identifier and then associate data with that identifier (say, in a DB, even), you can get essentially the same functionality (serialize() may help if you want to store a bunch of varying session data).

score 0 · Answer 3 · answered Aug 30 '13 at 21:07

I know it's late after the question, but seeing this is the only proper answer I found and people are going to use it since the answer is voted up, I wanted to note that it is a session hack waiting to happen. So a solution for this:

define("ENCRYPTION_KEY", "whatever you want to use as key"); // encryption key
if (isset($_COOKIE['SessionEncrypt']) && !empty($_COOKIE['SessionEncrypt'])) {
    //echo "get cookie: ".$_COOKIE['SessionEncrypt']; //urldecode(decrypt($_COOKIE['SessionEncrypt'], ENCRYPTION_KEY));
    session_id(decrypt(urldecode($_COOKIE['SessionEncrypt']), ENCRYPTION_KEY));
    //session_id($_COOKIE['SessionEncrypt']);
}
session_start();
setcookie('SessionEncrypt',urlencode(encrypt(session_id(), ENCRYPTION_KEY)),time()+86400,'/','yourdomain.com'); // will work cross subdomain

To encrypt/decrypt (found it here somewhere, works like a charm):

function encrypt($pure_string, $encryption_key) {
    $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    $encrypted_string = mcrypt_encrypt(MCRYPT_BLOWFISH, $encryption_key, utf8_encode($pure_string), MCRYPT_MODE_ECB, $iv);
    return $encrypted_string;
}

function decrypt($encrypted_string, $encryption_key) {
    $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    $decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH, $encryption_key, $encrypted_string, MCRYPT_MODE_ECB, $iv);
    return $decrypted_string;
}

This way nobody can read the session in the cookie. Cause you don't have to be a genius to insert a cookie in your browser. With this, people tend to forget that sessions are in fact readable from a server. If your browser can reach it, so can other programs.

Don't understand that... What is the difference? If someone can put the same cookie on their machine, it doesn;t matter if it is encrypted. Or I am missing something? :) — Jacek Kowalewski, Mar 20 '14 at 15:52

PHP Multi-Domain Sessions; ini_set Not Working?

3 Answers3

Linked