Solved

PHP SESSION cross-domain support

Posted on 2009-05-20
7
2,663 Views
Last Modified: 2013-12-12
Building a php session based authentication system for a custom web app.
The app has a central code base and CMS to display content based on the domain header (ie: domain content has the same document root.

If you go to www.domain.com you get db driven content for that domain.  If you go to subdomain1.domain.com you get content for subdomain1.domain.com.  There could be thousands of subdomains.

Authentication is based on sessions.  Understanding the basis of sessions, it's geared for that specific domain, however I need a session to carry over into subdomains (and possibly otherdomains).

I've added the following code to my .htaccess in the document root and it seems to work, but has been flaky.  If I monitor the session vars, I'll get a different session for different domains on different browsers (sometimes).  It seems to generate new sessions for subdomains and it doesnt solve the secondary unique domain problem.

I'm open to just about any solution... even if it means a different fundamental authentication logic change...

Is this possible?  What do others do?
php_value session.cookie_domain .domain.com

Open in new window

0
Comment
Question by:vmurray
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 6

Expert Comment

by:mmarth
ID: 24437765
if  you create a session variable, it will only work on the original domain.

to auomatically be logged in to a different domain, you can send the login info to the withe the original request to the new domain. ie. the redirect can contain the login info which can be dynamically inserted. Other session info could be sent the same way or could be retrieved fro a database.
0
 

Author Comment

by:vmurray
ID: 24437784
Turns out this works:
php_value session.cookie_domain .domain.com

I had sessions that were still active created before the change therefore causing inconsistent behavior.

Still doesnt help on multiple domain support.

Always been retrieving from db, but you have to have the above in php.ini or .htaccess.

I was trying to get specific information for how others have done it. (code) or logic examples.
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 24462356
Here is a sample script that will do what you need.  Please run it and examine the output.  Post back here if you have any questions.  Best of luck, ~Ray
<?php // RAY_session_cookie_domain.php
// DEMONSTRATE HOW TO START SESSIONS THAT WORK IN DIFFERENT SUBDOMAINS
error_reporting(E_ALL);
 
 
// MAKE THE SESSION COOKIE AVAILABLE TO ALL SUBDOMAINS
// OUR GOAL IS A DOMAIN NAME THAT STARTS WITH DOT AND OMITS WWW OR OTHER SUBDOMAINS.
// BREAK THE HOST NAME APART AT THE DOTS
$x = explode('.', strtolower($_SERVER["HTTP_HOST"]));
if (!is_array($x)) // MAYBE 'localhost'?
{
   $host = $x;
} else // SOMETHING LIKE 'www2.atf70.whitehouse.gov'?
{
// USE THE LAST TWO POSITIONS TO MAKE THE HOST DOMAIN
   $y    = count($x);
   $host = '.' . $x[$y-2] . '.' . $x[$y-1];
}
 
// START THE SESSION AND SET THE COOKIE FOR ALL SUBDOMAINS
$sess_name = session_name();
if (session_start())
{
	setcookie($sess_name, session_id(), NULL, '/', $host, FALSE, TRUE);
}
 
 
 
// LOAD UP SOME INFORMATION TO SHOW SESSION CONTENTS
$_SESSION["cheese"] = "Cheddar";
if (!isset($_SESSION["count"])) $_SESSION["count"] = 0;
$_SESSION["count"] ++;
 
 
// PUT UP TWO LINKS WITH DIFFERENT SUBDOMAINS
$gost = substr($host,1); // STRIP OFF THE DOT THAT WAS NEEDED FOR SETCOOKIE
$dmn_link = 'http://'    . $gost . '/RAY_dump_session.php';
$www_link = 'http://www' . $host . '/RAY_dump_session.php';
 
echo "<br/><a target=\"_blank\" href=\"$www_link\">$www_link</a>\n";
echo "<br/><a target=\"_blank\" href=\"$dmn_link\">$dmn_link</a>\n";
 
 
// SHOW WHAT IS IN COOKIE AND IN $_SESSION
echo "<pre>";
echo "COOKIE ";
var_dump($_COOKIE);
echo "\n\n";
echo "SESSION ";
var_dump($_SESSION);
 
echo "</pre>\n";
 
 
 
?>
<form method="post">
<input type="submit" value="CLICK ME" />
</form>

Open in new window

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:vmurray
ID: 24486501
This works.  Same result as adding the .htaccess for PHP

php_value session.cookie_domain .domain.com

Is there anything for true cross-domain support

domainx.com, domainy.com (rather than just sub1.domainx.com, sub2.domainx.com)
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 24486726
No, there is no cross-domain support for cookies without using redirects.  However if you want to get "clever" about it, you can have multiple domains all send their cookie values to a single "central" domain, maybe via POST or CURL.  That central domain sets and clears cookies, and returns the data to the calling domain when it redirects.  I would not recommend this, however.  Some clients would see this as a security breach, so you would need to be explicit about it in your published privacy policies.

HTH, ~Ray
0
 

Author Closing Comment

by:vmurray
ID: 31583553
This helps understand what you can do.  Easiest solution was adding:
php_value session.cookie_domain .domain.com
to .htaccess.  Suppose it could be set in php.ini as well.  Cross domain is an issue.  I think the best solution will be to use subdomains and when authenticating cross domain, you have to log in (same credentials, but different domain)
0
 

Expert Comment

by:nosolb
ID: 26387072
I have used the same code with one change, now its work for me. Now I am able to access the same session value across all my subdomains as well as main domain.

try this:

php_value session.cookie_domain ".domain.com"

Note that, enclose your domain.com with quotes.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question