• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2984
  • Last Modified:

PHP SESSION cross-domain support

Building a php session based authentication system for a custom web app.
The app has a central code base and CMS to display content based on the domain header (ie: domain content has the same document root.

If you go to www.domain.com you get db driven content for that domain.  If you go to subdomain1.domain.com you get content for subdomain1.domain.com.  There could be thousands of subdomains.

Authentication is based on sessions.  Understanding the basis of sessions, it's geared for that specific domain, however I need a session to carry over into subdomains (and possibly otherdomains).

I've added the following code to my .htaccess in the document root and it seems to work, but has been flaky.  If I monitor the session vars, I'll get a different session for different domains on different browsers (sometimes).  It seems to generate new sessions for subdomains and it doesnt solve the secondary unique domain problem.

I'm open to just about any solution... even if it means a different fundamental authentication logic change...

Is this possible?  What do others do?
php_value session.cookie_domain .domain.com

Open in new window

0
vmurray
Asked:
vmurray
1 Solution
 
mmarthCommented:
if  you create a session variable, it will only work on the original domain.

to auomatically be logged in to a different domain, you can send the login info to the withe the original request to the new domain. ie. the redirect can contain the login info which can be dynamically inserted. Other session info could be sent the same way or could be retrieved fro a database.
0
 
vmurrayAuthor Commented:
Turns out this works:
php_value session.cookie_domain .domain.com

I had sessions that were still active created before the change therefore causing inconsistent behavior.

Still doesnt help on multiple domain support.

Always been retrieving from db, but you have to have the above in php.ini or .htaccess.

I was trying to get specific information for how others have done it. (code) or logic examples.
0
 
Ray PaseurCommented:
Here is a sample script that will do what you need.  Please run it and examine the output.  Post back here if you have any questions.  Best of luck, ~Ray
<?php // RAY_session_cookie_domain.php
// DEMONSTRATE HOW TO START SESSIONS THAT WORK IN DIFFERENT SUBDOMAINS
error_reporting(E_ALL);
 
 
// MAKE THE SESSION COOKIE AVAILABLE TO ALL SUBDOMAINS
// OUR GOAL IS A DOMAIN NAME THAT STARTS WITH DOT AND OMITS WWW OR OTHER SUBDOMAINS.
// BREAK THE HOST NAME APART AT THE DOTS
$x = explode('.', strtolower($_SERVER["HTTP_HOST"]));
if (!is_array($x)) // MAYBE 'localhost'?
{
   $host = $x;
} else // SOMETHING LIKE 'www2.atf70.whitehouse.gov'?
{
// USE THE LAST TWO POSITIONS TO MAKE THE HOST DOMAIN
   $y    = count($x);
   $host = '.' . $x[$y-2] . '.' . $x[$y-1];
}
 
// START THE SESSION AND SET THE COOKIE FOR ALL SUBDOMAINS
$sess_name = session_name();
if (session_start())
{
	setcookie($sess_name, session_id(), NULL, '/', $host, FALSE, TRUE);
}
 
 
 
// LOAD UP SOME INFORMATION TO SHOW SESSION CONTENTS
$_SESSION["cheese"] = "Cheddar";
if (!isset($_SESSION["count"])) $_SESSION["count"] = 0;
$_SESSION["count"] ++;
 
 
// PUT UP TWO LINKS WITH DIFFERENT SUBDOMAINS
$gost = substr($host,1); // STRIP OFF THE DOT THAT WAS NEEDED FOR SETCOOKIE
$dmn_link = 'http://'    . $gost . '/RAY_dump_session.php';
$www_link = 'http://www' . $host . '/RAY_dump_session.php';
 
echo "<br/><a target=\"_blank\" href=\"$www_link\">$www_link</a>\n";
echo "<br/><a target=\"_blank\" href=\"$dmn_link\">$dmn_link</a>\n";
 
 
// SHOW WHAT IS IN COOKIE AND IN $_SESSION
echo "<pre>";
echo "COOKIE ";
var_dump($_COOKIE);
echo "\n\n";
echo "SESSION ";
var_dump($_SESSION);
 
echo "</pre>\n";
 
 
 
?>
<form method="post">
<input type="submit" value="CLICK ME" />
</form>

Open in new window

0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

 
vmurrayAuthor Commented:
This works.  Same result as adding the .htaccess for PHP

php_value session.cookie_domain .domain.com

Is there anything for true cross-domain support

domainx.com, domainy.com (rather than just sub1.domainx.com, sub2.domainx.com)
0
 
Ray PaseurCommented:
No, there is no cross-domain support for cookies without using redirects.  However if you want to get "clever" about it, you can have multiple domains all send their cookie values to a single "central" domain, maybe via POST or CURL.  That central domain sets and clears cookies, and returns the data to the calling domain when it redirects.  I would not recommend this, however.  Some clients would see this as a security breach, so you would need to be explicit about it in your published privacy policies.

HTH, ~Ray
0
 
vmurrayAuthor Commented:
This helps understand what you can do.  Easiest solution was adding:
php_value session.cookie_domain .domain.com
to .htaccess.  Suppose it could be set in php.ini as well.  Cross domain is an issue.  I think the best solution will be to use subdomains and when authenticating cross domain, you have to log in (same credentials, but different domain)
0
 
nosolbCommented:
I have used the same code with one change, now its work for me. Now I am able to access the same session value across all my subdomains as well as main domain.

try this:

php_value session.cookie_domain ".domain.com"

Note that, enclose your domain.com with quotes.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now