session not carrying between www and non-www

Square1

Hi all:

As I expected, my sessions are not carrying through between www.mysite.com and mysite.com. I would like them to carry through.

Is mod_rewrite the best way to set this? Is there a PHP ini setting to do this? And lastly, if the default is for them NOT to carry through, am I causing any security risk by allowing it?

Thanks!

NogDog

Easiest way to address that is to set session.cookie_domain to ".mysite.com" (note the leading ".") in your PHP configuration.

bradgrafelman

One thing to note is that sessions themselves don't go anywhere. As long as the client provides the same session ID on each request, the server will know which session to open.

Thus, the real problem is that your session ID isn't being propagated from the 'www.' request to the (null subodmain) request. As such, I'm guessing you're using cookies to propagated the SID, correct?

By default, PHP will output cookies for whatever domain that was used to make the request. However, if you use domain values such as '.mysite.com', the leading '.' actually matches any subdomain - including the null subdomain. As such, you'll want to use something like [man]session_set_cookie_params/man before every call to session_start() or else modify your PHP config (the See Also section on the previously linked man page will point you to the right PHP directives).

EDIT: I knew it. NogDog beats me to it yet again.

Square1

Thanks guys.

I see session.cookie_domain. But this setting is server wide. What if you have multiple domains on the server? What am I missing? So if you set it to ".mysite.com", what if you also have "anothersite.com" on the server?

bradgrafelman

Square1;10994919 wrote:
But this setting is server wide.

Not exactly - it affects anything that uses whichever .ini file you're editing. Whether that .ini file is used server wide or if individual (virtual) hosts use their own php.ini file would depend on how they are configured.

Square1;10994919 wrote:
What if you have multiple domains on the server?

Either have them each use their own php.ini file, use the .user.ini files feature (see: [man]configuration.file.per-user[/man]) and move the domain-specific configurations in there (if allowed), or use a .htaccess file to set the auto_prepend_file directive on each host to point to a .php script that sets up the domain-specific configurations (if allowed).

Square1

Thank you. I will contact my host regarding this.

Square1

I will test it some more but it looks like that did it.