How do I resolve conflicting session cookies on specific subdomain?

Question

For starters, we're using the Yii framework to create our sites and it is handling the creation of the cookies.

We have a site with many subdomains so the main site has a session cookieParams of ".sitename.com".

Something like this:

www.sitename.com
a.sitename.com
b.sitename.com
admin.sitename.com

We have www, a, and b to share the same session cookie and this works great.

However, we have one special admin subdomain that has a different user system and login mechanism, so we have a separate session cookieParam of "admin.sitename.com".

The problem is, if someone gets a session cookie from the main site, logging into the admin site fails, because the main site's ".sitename.com" cookie appears to be taking precedence. Deleting the cookie for the main site fixes the issue temporarily until the browser visits the main site again.

Is there any way around this, or is there a better way to set the cookies domain?

Thanks!

Jonathan Beebe · Accepted Answer

After ispecting how yii accomplishes this with their gii tool I set the following in my config.php and got it working.

array(
        ...
        'user'=>array(
            // enable cookie-based authentication
            'allowAutoLogin'=>true,
            'class' => 'WebUser',
            // Create a custom key prefix for the user cookie
            'stateKeyPrefix'=>'customkey',
        ),
        ...
        'session' => array (
            // Provide a custom name for the session id to differentiate it 
            // from the default PHPSESSID
            // Cannot use dots in the session id :(
            'sessionName' => 'custom_session_id',
            // Keep session stored in db for use accross load balancer
            'class' => 'system.web.CDbHttpSession',
            'connectionID' => 'db',
        ),
        ...
    ),
);

How do I resolve conflicting session cookies on specific subdomain?

Answers (2)

Related Questions