$_SESSION values not shared on domain URL differences

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
JimSB
Forum Newbie
Posts: 6
Joined: Thu Oct 25, 2012 5:15 am

$_SESSION values not shared on domain URL differences

Post by JimSB »

I have been noticing a problem where $_SESSION variables don't seem to be passed properly if the url used to invoke the program is slightly different.
I have session_start() at the beginning of all programs that use sessions.

I have two programs: store.php and checkout.php. It is possible for the users to enter values into either program that are stored in $_SESSION and SHOULD be picked up when the other is invoked. However, if I go first to domain.com/checkout.php, and then attempt to go to www.domain.com/store.php, I find that the values are not set. However if I go to domain.com/store.php, it picks them up. It seems as though a different session_id() is being established depending on how the user invokes the program. Is there any way to regularize this or pick up a session key that has been established with the other domain name?
JimSB
Forum Newbie
Posts: 6
Joined: Thu Oct 25, 2012 5:15 am

Re: $_SESSION values not shared on domain URL differences

Post by JimSB »

I may have found my own answer
I added the following to my root level .htaccess file


RewriteEngine On
Options +FollowSymLinks
RewriteCond %{HTTP_HOST} ^domain.com [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [L,R=301]

This seems to standardize the URL - on to further testing without pulling out my hair.
JimSB
Forum Newbie
Posts: 6
Joined: Thu Oct 25, 2012 5:15 am

Re: $_SESSION values not shared on domain URL differences

Post by JimSB »

Incidentally, the urls are not real. domain.com is generic.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: $_SESSION values not shared on domain URL differences

Post by requinix »

That's a good thing to do regardless. The actual fix to the problem is making sure the session cookie is set with a domain of ".domain.com" (via the php.ini settings). That leading period means the cookie applies to domain.com and all subdomains, and without it the domain name must match exactly.
JimSB
Forum Newbie
Posts: 6
Joined: Thu Oct 25, 2012 5:15 am

Re: $_SESSION values not shared on domain URL differences

Post by JimSB »

Unfortunately I am on a hosting service and I don't think they will let me mess with the php.ini settings. I may be wrong though.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: $_SESSION values not shared on domain URL differences

Post by requinix »

You can change the session.cookie_domain setting at any point, even in code. If you are allowed .htaccess files then you can

Code: Select all

php_value session.cookie_domain ".domain.com"
Or in a php.ini/.user.ini, or simply with

Code: Select all

ini_set("session.cookie_domain", ".domain.com");
(which you'd have to do before you call session_start() and in every place you have that).

There's also the easier session_set_cookie_params which lets you change all the cookie settings at once.
JimSB
Forum Newbie
Posts: 6
Joined: Thu Oct 25, 2012 5:15 am

Re: $_SESSION values not shared on domain URL differences

Post by JimSB »

Thank you. I must admit to being much more familiar with the coding part of .php than the environment/configuration part, and am a bit hesitant to change them without knowing precisely what I am doing. Is there a good book/web tutorial that explains this stuff? Also, if a paranoid user has set cookies completely off, is there a way to detect this and run sessions?
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: $_SESSION values not shared on domain URL differences

Post by requinix »

JimSB wrote:I must admit to being much more familiar with the coding part of .php than the environment/configuration part, and am a bit hesitant to change them without knowing precisely what I am doing. Is there a good book/web tutorial that explains this stuff?
Not that I know of. Reading the documentation for the various settings is a good start, and often the user comments in the manual pages will have good information.

For this particular stuff knowledge of cookies is what comes in handy.
JimSB wrote:Also, if a paranoid user has set cookies completely off, is there a way to detect this and run sessions?
Kinda, but it's a hassle. Then you have to make sure the session ID gets put in all your URLs which can be very insecure.
People who disable cookies are familiar with sites not working for them and they'll have set up exceptions for the sites they want to use. They'll do that for yours too.
Post Reply