Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP session is getting reset between subdomains

Tags:

php

session

session-cookies

I have a website running with two subdomains, both of which require login (based on the same DB access credentials). In order to make it easier for users, I wanted to change it so they can navigate both subdomains without having to log in separately: essentially, they log in at one of the subdomains and can then freely navigate between one and the other.

One solution I found at Allow php sessions to carry over to subdomains involves changing the session.cookie_domain variable to so that all subdomains would share the session variables, but something seems to be wrong. I can still login at subdomain1 and navigate it, but as soon as I load a page from subdomain2, subdomain1 instantly loses all its session data and I'm taken back to the login page. This also happens the other way around (logging in from subdomain2 at first). Prior to the change, subdomains could be simultaneously logged in but they wouldn't 'see' each other.

What could be causing this problem to occur?

like image 987
Silen Avatar asked Feb 19 '23 18:02

Silen

1 Answers

My suspect is the suhoshin project's session encryption feature, this patchset is included in most debian based systems. It can be configured to encode the session file's content with a key generated from various sources, to protect the session contents from other php scripts running on the same machine (shared hosting) or session hijacking. One of the sources is the docroot (enabled by default) which is usually different on every subdomain.

Check if its installed

A simple phpinfo() will report the extension and it's settings, look for a block named suhosin and below that see if suhosin.session.encrypt and suhosin.session.cryptdocroot is on

Disabling the encryption

Obviously you can edit your php.ini to disable the whole encryption or only the docroot part if you have access to the server.

If you don't, and the server is running apache, try disabling it in the .htaccess file of your php app's root like this:

php_flag "suhosin.session.cryptdocroot" 0

If its working you should see the difference in the phpinfo() output. (Local value column)

If your host doesn't allow a .htaccess file, you can set the same variable in php, but its important to do it before session_start(). Hopefully you have some kind of a front controller to place this in.

ini_set('suhosin.session.cryptdocroot', 0);
phpinfo();

The output of the phpinf should be same as in the .htaccess method, cryptdocroot line with an "Off" local value.

like image 173
complex857 Avatar answered Feb 28 '23 10:02

complex857
Sign in to Comment

Related questions

how to change/hide server directory name?
How bootstrap works in general and particularly in Zend Framework?
Append variables to url after form submit
PDO::FETCH_ASSOC What is about PDO::FETCH_ARRAY?
Logging Amazon SES Message ID
Codeigniter number of rows in controller
Multi Organization SaaS mySQL Setup?
MYSQL - Get Next and Previous Record by ID - HTML for hyperlinks
Find all hrefs in page and replace with link maintaining previous link - PHP
PHP deferred string interpolation
How to dynamically change (add) the active state class to a navigation link
how can i check if an element is visible in php? [duplicate]
PHP heredoc syntax
How to unflatten a multidimensional array (where original key access path is stored as a single key) in PHP?
PHP Executing Multiple Times
If PHP's mt_rand() uses a faster algorithm than rand(), why not just change rand() to use the newer implementation?
Sort PHP Array by number of Appearances
Is this use of str_replace sufficient to prevent SQL injection attacks?
PHP getting local date and time
Open URL via cmd without opening a browser

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!