Solved

PHP SESSION cross-domain support

Posted on 2009-05-20
7
2,634 Views
Last Modified: 2013-12-12
Building a php session based authentication system for a custom web app.
The app has a central code base and CMS to display content based on the domain header (ie: domain content has the same document root.

If you go to www.domain.com you get db driven content for that domain.  If you go to subdomain1.domain.com you get content for subdomain1.domain.com.  There could be thousands of subdomains.

Authentication is based on sessions.  Understanding the basis of sessions, it's geared for that specific domain, however I need a session to carry over into subdomains (and possibly otherdomains).

I've added the following code to my .htaccess in the document root and it seems to work, but has been flaky.  If I monitor the session vars, I'll get a different session for different domains on different browsers (sometimes).  It seems to generate new sessions for subdomains and it doesnt solve the secondary unique domain problem.

I'm open to just about any solution... even if it means a different fundamental authentication logic change...

Is this possible?  What do others do?
php_value session.cookie_domain .domain.com

Open in new window

0
Comment
Question by:vmurray
7 Comments
 
LVL 6

Expert Comment

by:mmarth
ID: 24437765
if  you create a session variable, it will only work on the original domain.

to auomatically be logged in to a different domain, you can send the login info to the withe the original request to the new domain. ie. the redirect can contain the login info which can be dynamically inserted. Other session info could be sent the same way or could be retrieved fro a database.
0
 

Author Comment

by:vmurray
ID: 24437784
Turns out this works:
php_value session.cookie_domain .domain.com

I had sessions that were still active created before the change therefore causing inconsistent behavior.

Still doesnt help on multiple domain support.

Always been retrieving from db, but you have to have the above in php.ini or .htaccess.

I was trying to get specific information for how others have done it. (code) or logic examples.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 24462356
Here is a sample script that will do what you need.  Please run it and examine the output.  Post back here if you have any questions.  Best of luck, ~Ray
<?php // RAY_session_cookie_domain.php

// DEMONSTRATE HOW TO START SESSIONS THAT WORK IN DIFFERENT SUBDOMAINS

error_reporting(E_ALL);
 
 

// MAKE THE SESSION COOKIE AVAILABLE TO ALL SUBDOMAINS

// OUR GOAL IS A DOMAIN NAME THAT STARTS WITH DOT AND OMITS WWW OR OTHER SUBDOMAINS.

// BREAK THE HOST NAME APART AT THE DOTS

$x = explode('.', strtolower($_SERVER["HTTP_HOST"]));

if (!is_array($x)) // MAYBE 'localhost'?

{

   $host = $x;

} else // SOMETHING LIKE 'www2.atf70.whitehouse.gov'?

{

// USE THE LAST TWO POSITIONS TO MAKE THE HOST DOMAIN

   $y    = count($x);

   $host = '.' . $x[$y-2] . '.' . $x[$y-1];

}
 

// START THE SESSION AND SET THE COOKIE FOR ALL SUBDOMAINS

$sess_name = session_name();

if (session_start())

{

	setcookie($sess_name, session_id(), NULL, '/', $host, FALSE, TRUE);

}
 
 
 

// LOAD UP SOME INFORMATION TO SHOW SESSION CONTENTS

$_SESSION["cheese"] = "Cheddar";

if (!isset($_SESSION["count"])) $_SESSION["count"] = 0;

$_SESSION["count"] ++;
 
 

// PUT UP TWO LINKS WITH DIFFERENT SUBDOMAINS

$gost = substr($host,1); // STRIP OFF THE DOT THAT WAS NEEDED FOR SETCOOKIE

$dmn_link = 'http://'    . $gost . '/RAY_dump_session.php';

$www_link = 'http://www' . $host . '/RAY_dump_session.php';
 

echo "<br/><a target=\"_blank\" href=\"$www_link\">$www_link</a>\n";

echo "<br/><a target=\"_blank\" href=\"$dmn_link\">$dmn_link</a>\n";
 
 

// SHOW WHAT IS IN COOKIE AND IN $_SESSION

echo "<pre>";

echo "COOKIE ";

var_dump($_COOKIE);

echo "\n\n";

echo "SESSION ";

var_dump($_SESSION);
 

echo "</pre>\n";
 
 
 

?>

<form method="post">

<input type="submit" value="CLICK ME" />

</form>

Open in new window

0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:vmurray
ID: 24486501
This works.  Same result as adding the .htaccess for PHP

php_value session.cookie_domain .domain.com

Is there anything for true cross-domain support

domainx.com, domainy.com (rather than just sub1.domainx.com, sub2.domainx.com)
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 24486726
No, there is no cross-domain support for cookies without using redirects.  However if you want to get "clever" about it, you can have multiple domains all send their cookie values to a single "central" domain, maybe via POST or CURL.  That central domain sets and clears cookies, and returns the data to the calling domain when it redirects.  I would not recommend this, however.  Some clients would see this as a security breach, so you would need to be explicit about it in your published privacy policies.

HTH, ~Ray
0
 

Author Closing Comment

by:vmurray
ID: 31583553
This helps understand what you can do.  Easiest solution was adding:
php_value session.cookie_domain .domain.com
to .htaccess.  Suppose it could be set in php.ini as well.  Cross domain is an issue.  I think the best solution will be to use subdomains and when authenticating cross domain, you have to log in (same credentials, but different domain)
0
 

Expert Comment

by:nosolb
ID: 26387072
I have used the same code with one change, now its work for me. Now I am able to access the same session value across all my subdomains as well as main domain.

try this:

php_value session.cookie_domain ".domain.com"

Note that, enclose your domain.com with quotes.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Introduction Many web sites contain image galleries; a common design for these galleries includes a page with a collection of thumbnail images.  You can click on each of the thumbnail images to see the larger version of the image.  This is easily i…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now