Sessions, cookies among subdomains

software development

#1

I need to implement cross subdomain aithorization on session and cookies. That means if user login at http://domain.com/ he also must be considered as logged on all subdomains of thta domain (http://*.domain.com/). Good example of such authorizaation is livejournal.com, where you can post comments on all subdomain if you logged on main domain.

I set this option in .htaccess:
php_value session.cookie_domain .domain.com
It seems like working, but only in IE based browsers. When loggining in Opera or Firefox it doesn’t works on subdomains.
My friend said that I should contact server admin to ask for cross sub domain authorization. What do you think about it?


#2

PLEASE someone HELP!!!


#3

That’s fairly simple; just make sure that all the routines you use to set cookies (whether HTML-META, JavaScript, or PHP) specify the root domain (frex, “domain.com”). Note that this same method can be used in reverse; you can also allow specific cookies that do NOT cross subdomains as well (but it seems you already know that part).

If you’re using third-party (not-your-own) scripts and such, prepare to get a-hackin’ away at some code.

[quote]I set this option in .htaccess:
php_value session.cookie_domain .domain.com
It seems like working, but only in IE based browsers. When loggining in Opera or Firefox it doesn’t works on subdomains.[/quote]
That’s for when you use the $_SESSION global variable to store cross-scripted values. If you’re using the $_COOKIE gvar, you need to implement a specific root domain in the PHP “setcookie” function; see PHP setcookie function. Note that domain also needs to be specified when using HTML-META or JavaScript if you also use those methods.

Also important: Some browsers (…and third-party scripts/enhancements/toolbars) may be set to prevent/block cookies from crossing subdomains; other than setting up a FAQ (and associated links) to address the specific problem you’re using cookies for, you can’t much help folks what’s got their browsers set in uber-anal-retentive mode.

Not true at Dreamhost.
If it gets puzzling, try putting the following code in the top of some of your problem scripts so’s you can look at the HTML source to track down the problem:

print "<!-- \$_ENV "; print_r($_ENV); print " -->\r"; print "<!-- \$_SESSION "; print_r($_SESSION); print " -->\r"; print "<!-- \$_COOKIE "; print_r($_COOKIE); print " -->\r"; print "<!-- \$_POST "; print_r($_POST); print " -->\r";Good luck.


#4

I am not using someone’s scripts, I am just workin on my own PHP scripts.

Yes I use this variable in my scripts.

Can’t catch what do you mean. What I did for now is set up
php_value session.cookie_domain .domain.com and also denied using session strings in URLs (that’s because I am using mod_rewrite for beautiful URLs):
ini_set(‘session.use_only_cookies’,‘1’);
What else should I undertake to make it working?


#5

[quote]{…re: setting cookies via HTML-META and Javascript}
Can’t catch what do you mean.[/quote]
Let me rephrase in the form of a question:
How are you setting the variable name and associated value of your cookies?

[quote]What I did for now is set up
php_value session.cookie_domain .domain.com and also denied using session strings in URLs (that’s because I am using mod_rewrite for beautiful URLs):
ini_set(‘session.use_only_cookies’,‘1’);
What else should I undertake to make it working?[/quote]
You need to specify the root domain without the subdomain each time you set or change the value of a cookie. Cookies set in this fashion should span subdomains.
If you are using mod_rewrite, then you may also need to set the default path of each cookie to “/” (root directory) when both setting/changing cookies and when you retreive them (see the link/ref to the PHP setcookie function in my previous reply) in order to make the cookie span subdirectories as well as subdomains.

And honestly, I’m not at all sure how cookies react to Apache-rewritten URLs; you may want to stick with $_SESSION variables exclusively.


#6

OK, I’ll show you how I work with session vars. Actually, nothing special… At the beginning of the script I place the following code:

header("Cache-Control: no-cache, must-revalidate"); ini_set('session.use_only_cookies','1'); ini_set('url_rewriter.tags',''); unset($s); session_start(); session_register('s');…or somteimes another variant:

ini_set('session.use_only_cookies','1'); ini_set('url_rewriter.tags',''); unset($s); if (isset($_REQUEST[session_name()])){ session_start(); session_register('s'); }And in code I work with variables using $_SESSION[‘s’] (for example $_SESSION[‘s’][‘login’]).

Thats it.