Session problem over multiple domains

[esoteric]

I have recently changed server and setting things up are a right pain, after 2 days im need of some help.

 

I have my site split into sub domains so lets say;

 

www.domain.com

one.domain.com

two.domain.com

three.domain.com

 

They are to separate parts of my site which used to make it easier the manage each part, so one sub domain handles accounts and logins etc.. whilst another handles products and so on. the problem im having is all my login scripts and are on say 'one.domain.com', i can log in fine but when i visit any other domain im logged out, i can't seem to sort it out.

 

i have tried setting my session cookie path and session cookie domain by painstakingly adding

ini_set('session.save_path', '/var/www/vhosts/website.co.uk/httpdocs/tmp');
ini_set('session.cookie_domain', '.website.co.uk');

to every page, but it makes no difference, im also getting the occasional error

Warning: session_start() [function.session-start]: open(/tmp/sess_d387ha6eqvj53f135q0fh4d733, O_RDWR) failed: Permission denied 

 

I have contacted my server provider by after endless messages they are no longer helping but rather keep saying 'leave it with us' then 'we fixed it' although they didnt. It doesn't help im so limited in what i have access to, i cant access the php.ini so everything has to be done via php

 

So i would really appreciate any help getting this session problem sorted out.

 

Thank you.

[rythemton]

This sounds like it's an issue with your hosting.

 

In all reality, I'd switch it to be all in one domain for SEO friendliness. Google considers each sub-domain as a different domain for the purposes of tracking, so by separating your site into separate sub-domains will affect your placement in searches.

 

If you don't care about SEO, it sounds like it will take finding someone at your hosting company that knows what they are doing.

[esoteric]

I understand the search engine problem but it isn't really an option, my site has been set up like this for a while and changing it now would make all paperwork and existing users links etc.. invalid. We also have business cards which point to specific sub domains so i'm not too worried about search engines. thanks you though, im trying to get help from my host but its been a long wait and very little has been done.

[PFMaBiSmAd]

When you do log in, what does the PHPSESSID cookie have for a domain setting when you look at the cookie in your browser?

 

Are you putting the ini_set() statements before the session_start() statement? Is the ini_set() statement enabled on your server?

 

You should be able to put php settings into a local php.ini (when php is running as a CGI application) or into a .htaccess file (on Apache when php is running as an Apache Module.)

 

What does a phpinfo statement show for the session.auto_start setting?

 

 

[PFMaBiSmAd]

Also, what does a phpinfo statement show for the session.cookie_path setting?

[esoteric]

The cookie name is my website name without the www. (so domain.co.uk)

 

the top of my php pages looks like this

<?
ini_set('session.save_path', '/var/www/vhosts/xxxxx.co.uk/httpdocs/tmp');
ini_set('session.cookie_domain', '.xxxxx.co.uk');
session_start();

 

I dont have access to the php.ini which i was surprised about, they wont let me change anything, i tried adding it to my htaccess it just stopped me logging in at all.

 

session.auto_start = Off

 

session.cookie_path = /

 

Thank you

[esoteric]

oh and i created the folder at 'xxxxx.co.uk/httpdocs/tmp' and gave it full permission (777)

[xyph]

The cookie name is my website name without the www. (so domain.co.uk)

 

Use a tool that lets you see the raw headers. In Chrome, ctrl+shift+j will open the debug window, and under the Resources tab, there's a 'Cookie' option on the left. This gives details about the actual cookies being set. The 'domain' value is what PFMaBiSmAd wants to confirm. There may be cases where changing the value using ini_set doesn't actually change the behaviour.

[PFMaBiSmAd]

Does the PHPSESSID cookie domain setting have the leading dot as part of it?

 

Is there more than one PHPSESSID cookie, for different variations of your domain, that are left over from previous testing? You may need to delete them all so that a new one that matches the current session.cookie settings will get created.

 

When you log in under one sub-domain, look at the value (content) in the PHPSESSID cookie, then navigate to a different sub-domain and check the PHPSESSID cookie value (content) again. Are those two values the same?

 

 

[esoteric]

Is this the info you wanted? i had to download a addon for firefox to see it

 

name - PHPSESSID

host - .xxxxxxxxx.co.uk

content - 7qpi4boe4n5rf26hha1tqh45p5

path - /

 

and the host does have the . at the start. I deleted all other cookies, this is the only one i have from a fresh login attempt. I cant test it from another domain because i would need to shift a whole load of script about to do it, but if need to in order to find the problem i will?

[xyph]

And that session cookie shows up when accessing both one.domain.com and domain.com ?

[PFMaBiSmAd]

The only thing I asked you to do is to navigate to a different sub-domain and recheck the value.

 

Any chance you are using https on some of these sub-domains and not on others?

[esoteric]

I got a reply from my host, he said he new the problem and has to reset my sessions, needless to say that didn't do anything as i expected but he also said

I would suggest you set /tmp as the save session path this way it will correctly write to the servers /tmp folder ensuring permissions are consistent.

 

But im not sure what he means, how would i change this to make that change, anything i try give me 'ini_set() [function.ini-set]: SAFE MODE Restriction in effect', safe mode is off.

ini_set('session.save_path', '/var/www/vhosts/xxxx.co.uk/httpdocs/tmp');

[Jessica]

Do you have access to php.ini file?

[esoteric]

No, bit of a pain

[Jessica]

Then reply to him and tell him you can't set it.

[xyph]

Also, NEVER set your session save directory to a folder inside of your web root.

 

Always in a place that can't be accessed by the outside world.