Page 1 of 1

Sessions, Cookies, and Subdomains

Posted: Mon Dec 02, 2002 6:28 pm
by seek
Hello, I've a bit of a problem and was wondering if anyone out there can help straighten it out. Up until this point I have been using a very customized version of PostNuke for my website but things are to the point where I need to just make my own system from scratch. I want to use php sessions for my user system because they seem to be more transparent to the visitor, but there are a few problems that I think I am going to run into based on what I've read. I want to have my website split into several subdomains with a shared user system. That is to say that when someone logs into foo.mysite.com they'd also be logged into bar.mysite.com when they go to it. It is my understanding that php sessions will not work in this way, being that each subdomain has its own sessions. If this is the case, is there a way around this? If it is the case and there isn't a way around it, is this able to be done with regular cookies? Also, php sessions only last a certain amount of time. I'd like for users to remain logged in indefinitely if they choose to do so while logging in. Assuming this is absolutely impossible in sessions, is it feasible to use php sessions as the basis of my user system and cookies as a secondary to it if users choose to remain logged in? Any help at all would be really appreciated, because I'd like to get the new version of my site rolled out soon.

Posted: Mon Dec 02, 2002 11:38 pm
by volka
http://wp.netscape.com/newsref/std/cookie_spec.html
domain=DOMAIN_NAME
When searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. If there is a tail match, then the cookie will go through path matching to see if it should be sent. "Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com".

Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

The default value of domain is the host name of the server which generated the cookie response.
if this is not feasable take a look at http://www.php.net/manual/en/ref.sessio ... ve-handler and http://www.php.net/manual/en/function.s ... andler.php
You might write your own session handling and store the data in a centralized database for all your subdomains.