Reputation: 5395
CakePHP 3 - Session configuration for logging in via a subdomain
I'm building an application on a subdomain using CakePHP 3.
Users login to https://example.com/ which is written in vanilla PHP (5.x)
The Cake app resides on https://app.example.com/. I have added the following to config/app.php. The intention of this is that the Cake app can read the session variables from the login domain (https://example.com).
'Session' => [
'defaults' => 'php',
'cookie' => 'PHPSESSID',
'timeout' => '0',
'ini' => [
'session.cookie_domain' => '.example.com',
'session.cookie_httponly' => 'on'
]
]
All of this works fine. I can print out session variables which are set by https://example.com on https://app.example.com.
However, I'm not convinced Cake is actually treating the configuration correctly (or even using it at all)...
I was curious as to how session.cookie_domain works so started changing the value. In the end I changed it to something nonsensical such as
'session.cookie_domain' => 'ksjdhshfksdf'
and it all still worked as before.
The only way in which I can "break" it is to set 'cookie' => 'PHPSESSID' to 'cookie' => 'CAKEPHP', which renders the session unreadable (as it's going back to Cake's own session handler rather than the "vanilla" PHP one?)
Please can someone explain this, or if it's set up incorrectly for my needs?
Incidentally the server's php.ini has been configured to include session.cookie_domain = ".example.com". I'm unclear if this may be where the problem lies - perhaps because Cake is using php.ini for the session settings, the ini part of the array is not actually meaningful?
Upvotes: 1
Views: 465
Answers (1)
Reputation: 60463
The session.cookie_domain option only affects writing session cookies, not reading them. It's the user agent that decides whether to send a cookie alongside the request depending on the domain settings that the server responded with when responding with the cookie.
When a cookie is being sent by a user agent, there will be no domain config value, only the cookie name and its value, so PHP couldn't make use of the domain setting even if it wanted to, it simply has no clue where a cookie originally stems from.
On the server side, sessions are always initialized by PHP itself, all CakePHP can do is call session_start(), and the only thing that matters to PHP is the cookie name and its value. If the cookie name matches the configured session cookie name, then its value will be used to identify a possible session (that is where a custom session handler can hook in), and that's all there is to it on the server side with regards to picking up sessions.
What you could break with a wrong cookie_domain setting, is session renewal, as it will destory the session store, and write a cookie with a domain value that will cause the user agent to not send it on subsequent requests.
Upvotes: 3
Related Questions
- CakePHP keep session from main domain across to a subdomain
- CakePHP 3 - login through non-Cake subdomain
- Subdomain overwiting CodeIgniter session
- Cakephp3.x Sessions across sub domains
- How to maintain session in subdomains with cakephp?
- Use cakephp session with two different domains
- Sessions and subdomains
- PHP cake subdomains session link problem?
- session for sub-domain.example.com using PHP
- CakePHP Subdomain Cookies