Ok, so I'm having an issue with a project I'm working on. I have a site with multiple subdomains. However, I've setup each subdomain to be it's own hosting account (meaning it has it's own hosting user and such). Now, I DON'T want cookies to be shared across the domains. One domain is a signup domain (http://signup.mydomain.com), one is a login domain (http://login.mydomain.com). However, after they signup(on the signup subdomain) I want to force them to log in on the "log in subdomain".

In firefox everything works fine. But for some reason in Internet explorer it's not creating a new session when they go from one subdomain to the other. It's still trying to read the old session file...but this isn't going to work because the session file is owned by the signup user...not the login user. Hence I am getting an error: open(/tmp/sess_91757a42a3b0ff0415e07ac62e603790, O_RDWR) failed: Permission denied (13), which of course makes sense because of the file ownership issue.

Now, what I can't figure out is how to force internet explorer to start a new session between the two subdomains, and treat them like they are seperate sites (like they technically are).

Here is code I've tried with no success:

on the signup subdomain

session_set_cookie_params(0, '/', 'signup.mydomain.com'); 
session_start();

on the login subdomain

session_set_cookie_params(0, '/', 'login.mydomain.com'); 
session_start();

I thought this one would work since it is forcing the cookie domain to just that subdomain...but no luck>

Then I tried:


session_destroy();
$old_sessionid = session_id();
session_regenerate_id();
session_start();

And of course this one doesn't work because I still have the same issue with the file being owned by the wrong hosting account user.

Anyone run across this before, or have any ideas for me? I've been looking at it for hours with no luck...

    Ok, so i think I actually figured out what was going on. I just happened to stumble upon it when looking over another issue with the site. The root domain is using wordpress with the bulletproof security pro security module. It turns out, by default they deny HEAD requests with this in the .htaccess file:

        RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F,L]

    It's supposed to be in there to stop junk and spam bots, but apparently this was causing an issue with I.E. not releasing the session. As soon as I removed the "HEAD" from it, the cookies started working the way they should. Hopefully this helps someone else out in the future.

      Write a Reply...