Allow subdomains to access session data

[jasonc310771]

I am wanting to access session data on all subdomains.  I have tried to add session.cookie_domain = '.yourdomainname.example' (with my domain name) to php.ini But no change.

using the following..

if(isset($_COOKIE['session_id']))
            session_id($_COOKIE['session_id']);
        session_start();
        if(!isset($_COOKIE['session_id']))
            setcookie('session_id', session_id(), 0, '/', '.yourdomainname.example');

All works fine, but I have been told that I should not be setting sessions this way ?

How do I correctly configure the server to allow this ?

Edited May 12, 2023 by jasonc310771

[ginerjm]

A Session is not related to any subdomain, it is rather a set of data that is tied to the current user's browser session.  Don't know what you are trying to do here.

[ginerjm]

I see that you have been back here.  No comment??

[cyberRobot]

Are you wanting to use $_SESSION (data stored server side) or $_COOKIE (data stored client side)?

Others can correct me if I'm wrong, but I don't think session.cookie_domain applies to $_COOKIE. Whether (sub)domain(s) have access to $_COOKIE is determined by the corresponding argument in setcookie(). Of course, it has been a while since I've needed to deal with either $_SESSION or $_COOKIE.

[ginerjm]

 A cookie has an argument that indicates how wide in the domain it can be read.  A session doesn't.  PHP sets the session up and re-opens it when you return to the session by accepting a submit from the client.  The session has nothing to do with domains  If it does, I"ll have learned something new today

[kicken]

1 hour ago, ginerjm said:

A cookie has an argument that indicates how wide in the domain it can be read.  A session doesn't.

The session ID is stored in a regular cookie, just like any other cookie data you would want to set.  It has all the same cookie parameters, which can be configured with session_set_cookie_params.

 

@jasonc310771

So long as the session cookie is setup with a domain parameter that allows it to be used on sub-domains, there should not be any issues with your session id carrying between domains.  If the server-side code for both domains has access to the same session storage back end then sharing the data should work as well.  If the two domains are hosted on different servers and you're using regular file based session handling, then the data won't carry over since the second server would not have access to the first server's session files.

Have you checked if the session ID is being carried between domains by inspecting the requests your browser makes using it's dev tools?  If it's not, try using the session_set_cookie_params function to setup your domain parameter prior to calling session_start().

 

[jasonc310771]

I still do not know enough about $_SESSION

The main domain example.com is where they login. I have the user data is stored in $_SESSION['user'] as an array. Once logged in they get taken to members.example.com and $_SESSION['user'] is no longer available. All pages have session_start(); at the start (no spaces or anything outputted before)

Some time ago in some forum I tried to get help in, suggested I should not use the second method that actually worked as it should work automatically without the extra code. Just use session_start();

So confused as to why it does not automatically work ?

[requinix]

3 hours ago, jasonc310771 said:

So confused as to why it does not automatically work ?

It does automatically work. It just doesn't automatically work the specific way you want it to.

kicken said to use session_set_cookie_params. Have you done that yet?

[gizmola]

On 5/13/2023 at 8:00 PM, jasonc310771 said:

I still do not know enough about $_SESSION

The main domain example.com is where they login. I have the user data is stored in $_SESSION['user'] as an array. Once logged in they get taken to members.example.com and $_SESSION['user'] is no longer available.

So confused as to why it does not automatically work ?

Everything I'm going to say, is based on the default behavior of php sessions.  Session behavior can be altered by changing php configuration variables or in most cases, overriding the runtime variables in your script prior to doing anything else.  You need to verify what these settings are for your specific installation.

Sessions, by default are simply files stored on the server, that contain the contents of the $_SESSION array in serialized form.  These variables are serialized/deserialized during the runtime of a php script.

The way the server associates a session file on the server with a user, is via a cookie.   The default name for that cookie is PHPSESSID

The full list of runtime session configuration variables is here.

So let us look at the code you provided:

if (isset($_COOKIE['session_id']))
    session_id($_COOKIE['session_id']);
session_start();
if(!isset($_COOKIE['session_id']))
    setcookie('session_id', session_id(), 0, '/', '.yourdomainname.example');

So a few things to point out about this code:

• It exists to change the name of the cookie from 'PHPSESSID' to 'session_id'.  That's a lot of wonky code to do something that has official session specific functions to accomodate.
• This code is attempting to go around the built in cookie session handling, and is likely the source of your issues.  My advice is to use the session specific functions instead.

session_name('session_id');
session_set_cookie_params(0, '/', '.yourdomain.example');
session_start();