Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Maintaining Session Variables across Subdomains

I have been trying to maintain session vars between two subdomains and found it impossible. I ended up creating 2 minimal PHP web pages as a test bed, one I call 'test 1' just sets

$_SESSION['test'] = "Fred";

and has a hyperlink to 'test 2' which simply tries to echo the value of $_SESSION['test'] to prove it's worked, or not. I place 'test 1' in my www domain and 'test 2' in my sub domain. I try various version of what should go in the header, from various sources. Here are the main 3 (and of course their variants):

ini_set('session.cookie_domain',substr($_SERVER['SERVER_NAME'],strpos($_SERVER['SERVER_NAME'],"."),100));
session_start();

or

ini_set('session.cookie_domain','mydomain.com');
session_start();

or

ini_set('session.cookie_domain', PHP_INI_ALL);
session_start();

or

session_set_cookie_params(0, "/", ".mydomain.com", false);
session_start();

I find that I get an identical result in every case. The session is not carried across the subdomains and page test 2 has no idea what value I set $_SESSION['test'] to. Yet there seems to be plenty of certainty around the 'net that one of the above methods should work. Any idea what could be going on, especially since I am using minimal pages to test the mechanism (no side effects that I can see)? By the way I am on a shared server, if that's pertinant here.

Thank you for your thoughts. Frank.

Edit. I fixed it. The problem was caused by Suhosin. See detailed answer at the foot of this page.

like image 842
Frankie Avatar asked Feb 16 '12 19:02

Frankie


1 Answers

Ok I nailed it and it was a stinker.

Suhosin's suhosin.session.cryptdocroot option was the entire cause of the problem. When the session encryption key is based on the DocRoot it causes the subdomains to fail to see each other's session variables when the base domain and the subdomains are served from different directories. This leads to the session vars on the server being stored in different folders and hence they are not visible to each of the corresponding domains.

Solution. Simply add these 2 lines in your php.ini file:

suhosin.session.cryptdocroot=Off
suhosin.cookie.cryptdocroot=Off

A 48 hour nightmare to track down, 4.8 seconds to fix.

like image 80
Frankie Avatar answered Oct 18 '22 11:10

Frankie