Sessions and Sub-Domains

Anon

Does anyone know how to get sessions information to cross sub-domains without using cookies or a database? I was very surprised to find that even though I was passing the PHPSESSID the information was limited to the sub-domain in which it was registered.

Each page, on both sub-domains, starts with the header:

: Start Sessions and Save the Locally

    ini_set('session.save_path',"/home/web/tmp/sessions");
    ini_set('session.use_cookies',0);
    ini_set('session.use_trans_sid',1);

    session_start();

Is there an INI setting I'm missing?

Thanks!

nikholmes

I'm wrestling with the same stuff, sending logins via https on a different host (and domain, and server!). I found a way...

Say both subdomains are on the same box:
www.host.com -> /home/host_www/web
www2.host.com -> /home/host_www2/web

1: Create a folder eg
/home/host_www/sessiondata
with chmod 777

2: At the top of any scripts which need the session ID, in either subdomain, do
ini_set('session.save_path',"/home/host_www/sessiondata");

Then your session data should be common across both hosts/subdomains.

You could make this more secure by using more limited permissions on the sessiondata, if you know more about permissions than I do.

If the subdomains are NOT hosted on the same box, it's more difficult - I think I have a solution, if anyone wants it.

NB - I think this works, but I've only just tried it on php4.2.2 - there may be issues with other versions, or aspects I haven't tested. Caveat Programmor. 🙂

nik

Anon

I have a similar structure:

/home/user/www/sessions/
/home/user/www/
/home/user/www/sub/

and ini_set heading all files, but the sessions don't transfer with cookies disabled.

nikholmes

Cookies disabled clientside or serverside? Disabling clientside but not serverside could cause problems, I would think.

In every script which uses the session ID, I'm also using ini_set to stop sessions using cookies, and to disable trans_sid. In other words, I make sure php can only get the session ID when I explicitly provide it via URL or POST, and then I make sure that I provide it as needed.

Also - check that ini_set actually works when you execute it. It doesn't throw a php error when you use to change something you're not allowed to change, so test the result.

And it may be that something in your server config stops my variant from working - I'm no config expert. I just kept trying different things until one worked. 🙂

nik