Jump to content

Session information sharing on different subdomains

Emsanator

By Emsanator
in PHP Coding Help

 Share

Recommended Posts

Emsanator Newbie

Emsanator

Posted
Posted

I am sharing sessions between two subdomains and I can see the member's information in their different subdomains. If the member logs out, all subdomains are logged out. All is good so far.

However, for example, a.example.com the form information is POSTed to b.example.com. This form information is saved in the database, but the member's ID is not registered. No information is registered to the database with the member. What could be the reason for this? 

    ini_set('session.cookie_domain',
    substr($_SERVER['SERVER_NAME'], strpos($_SERVER['SERVER_NAME'], "."), 100));
    setcookie("MID", $_SESSION['uID'], 60 * 60 * 24 * 100, '/', '.example.com');
    session_set_cookie_params(60 * 60 * 24 * 100, '/', '.example.com', false, false);
    ini_set('session.save_path', $pathStorageMembers . 'sessions');
    ini_set('session.cookie_lifetime', 60 * 60 * 24 * 100);
    ini_set('session.gc_maxlifetime', 60 * 60 * 24 * 100);
    session_start();

Thank you.

requinix Prolific Member

requinix

Posted
Posted

:psychic:

You talk about a member ID not being "registered" and post some code that deals with session cookies. I have no idea if the two things are supposed to be related.

When the page on the second subdomain handles the form data, either it can access the session data or it cannot. If it can't then you have cookie and/or session data problems, and if it can then you have some problem getting the ID into the database (I guess?). It's hard to tell without knowing your application(s) and having a more detailed explanation of what you're seeing and what you expected to see.

Emsanator Newbie

Emsanator

Posted
  • Author
Posted
1 hour ago, requinix said:

:psychic:

You talk about a member ID not being "registered" and post some code that deals with session cookies. I have no idea if the two things are supposed to be related.

When the page on the second subdomain handles the form data, either it can access the session data or it cannot. If it can't then you have cookie and/or session data problems, and if it can then you have some problem getting the ID into the database (I guess?). It's hard to tell without knowing your application(s) and having a more detailed explanation of what you're seeing and what you expected to see.

Yes, I realized I spelled it wrong. I meant that the member's ID is not saved with the form data in the database. Although the member's session is active, it does not see the member's ID when POSTing to the other subdomain.
While the `a.example.com` member logs in and can use the `b.example.com` site without any problems since he logs in; Unfortunately, the information of the member is not recorded in the form submission among the subdomains, but when the member logs in, the session are active in all subdomains.

requinix Prolific Member

requinix

Posted
Posted

If you're sure that the user can browse the other site perfectly fine, with the same session information as the first site, then the problem will be somewhere in the code that gets the member ID and stores it in the database...

Emsanator Newbie

Emsanator

Posted
  • Author
Posted
1 minute ago, requinix said:

If you're sure that the user can browse the other site perfectly fine, with the same session information as the first site, then the problem will be somewhere in the code that gets the member ID and stores it in the database...

 

Yes, I'm sure because without logging in, the application running on the subdomain cannot be accessed. Anyway, I'll keep researching, thanks for your help.

ginerjm Prolific Member

ginerjm

Posted
Posted

I'm glad (and surprised) that someone understands what the OP is attempting (succeeding?) to do here.  Makes no sense at all to me and surprises me that one can manage to tap into someone else's session values despite PHP's design to hopefully not allow that.

Why not use a db with a well-identified record key so that the data in it can be safely/properly shared without all of the concern for breaking PHP's built in security scheme?  Just sharing the db between domains is a surprise in itself but I guess if the user has setup his domains to point to the same db server that problem is non-existent.

requinix Prolific Member

requinix

Posted
Posted
12 hours ago, ginerjm said:

I'm glad (and surprised) that someone understands what the OP is attempting (succeeding?) to do here.  Makes no sense at all to me and surprises me that one can manage to tap into someone else's session values despite PHP's design to hopefully not allow that.

Why not use a db with a well-identified record key so that the data in it can be safely/properly shared without all of the concern for breaking PHP's built in security scheme?  Just sharing the db between domains is a surprise in itself but I guess if the user has setup his domains to point to the same db server that problem is non-existent.

There's no "tapping into" or "breaking into" here. If the code running on both subdomains can access the same source of session data (probably files) then they can share the same sessions. This sort of setup happens all the time.
If the sessions are files then it's easier to have the sites on the same server - naturally. If the sites weren't, or were "in the cloud" or otherwise distributed, then a database would be better/easier.

ginerjm Prolific Member

ginerjm

Posted
Posted

Well - I knew I didn't understand but from the writings I thought this was a sharing of individual sessions and that was what I was discussing.  

Still not sure what it is you are doing but you are making it sound less dangerous.  :)

 

gizmola Prolific Member

gizmola

Posted
Posted
16 hours ago, ginerjm said:

Well - I knew I didn't understand but from the writings I thought this was a sharing of individual sessions and that was what I was discussing.  

Still not sure what it is you are doing but you are making it sound less dangerous.  :)

 

I interpreted the question specifically to be someone with subdomains.  So for example.

  • www.mysite.com
  • store.mysite.com

It's pretty common to have setups like this, where you might want or need a session to be accessible to both subdomains.  Since the main mechanism used to pass the session id is a cookie, restrictions on cookies are relevant.  The default unless you change it, is to have the PHP session cookie set for the subdomain rather than the domain.  The setup information provided was ostensibly code to change default session handling so that the session cookie is configured for all subdomains  (.mysite.com) which would enable the reading and writing of session values by any subdomains of mysite.com.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.