PHP Session and iFrame

Question

I'm confused about PHP session handling. This is the scenario:

Client browser accesses server-a.domain-1.com which loads the contents of a page on server-b.domain-2.com into an iframe.

The client gets a session cookie from server-a; lets say its value is 123. If I echo session_id() on server-b it shows a different session id inside the iframe, say 456, but there is no cookie for this on the client. Of course if I load the server-b page directly, I get its cookie, so then have 2 session cookies, 123 and 456.

What I don't get is this. I delete all the cookies and load up the page for server-a, so now i have its cookie (123). The page being rendered in the iframe shows session id 456, buts its cookie is not on the client. Now every time I reload the page on server-a, server-b shows the same session_id, but the client never gets its cookie.

So how does server-b know this is the same session if there is no cookie?

From my reading I understand session can be dynamically added as url a parameter if cookies aren't available but this requires session.use_trans_sid to be set in php.ini, which it is not. There is also no evidence in the address bar that this is happening.

I'd appreciate any insight into what is actually going on here.

Answer 1

In the default configuration PHP stores the session data on the hard-drive. When you want to use the session on two different servers you have to set-up shared sessions. For example this can be done using memcache.

In your setup the server server-a.domain-1.com stores the session on his hard drive. When you send the session ID to server-b.domain-2.com he tries to read the session from his hard drive. This will fail and a new session is created. Or under circumstances it will load another session, which does not belong to the original one.