CODEWITHSUNDEEP
phpsessionsession-variablessession-cookies
nikksan
nikksan

Reputation: 3471

Shared Session Across Domains

Okay.. I have two domains example.com and example.net, they share the same code space and sessions. The problem is that the domain is supposed to change when the user changes the language, when this happens all the session data is lost. I want to do an ajax call right before that so I can change the session. Here is the code which is used to initialize the session.

<?php 
    /* This method is invoked */
    public function start($session_id = '', $key = 'default') {
        if (!session_id()) {
            ini_set('session.use_only_cookies', 'Off');
            ini_set('session.use_cookies', 'On');
            ini_set('session.use_trans_sid', 'Off');
            ini_set('session.cookie_httponly', 'On');

            if ($session_id) {
                session_id($session_id);
            }   

            if (isset($_COOKIE[session_name()]) && !preg_match('/^[a-zA-Z0-9,\-]{22,52}$/', $_COOKIE[session_name()])) {
                exit('Error: Invalid session ID!');
            }

            session_set_cookie_params(0, '/');
            session_start();
        }

        if (!isset($_SESSION[$key])) {
            $_SESSION[$key] = array();
        }

        $this->data =& $_SESSION[$key]; 

        return true;            
    }

I tried creating a standalone script to handle the ajax call, but It failed to work.

<?php 
    ini_set('session.use_only_cookies', 'Off');
    ini_set('session.use_cookies', 'On');
    ini_set('session.use_trans_sid', 'Off');
    ini_set('session.cookie_httponly', 'On');


    session_set_cookie_params(0, '/');
    session_start();
    session_id($_POST['session_id']);


    header('Content-Type: application/json');
    $data = array('session_id' => session_id());
    echo json_encode($data);

The session is not preserved when switching between the two domains. Any clues?

Upvotes: 1

Views: 193

Answers (1)

Simon Brahan
Simon Brahan

Reputation: 2076

This is a security feature of web browsers - a session uses a cookie that is attached to a domain, and the browser will not send this cookie to another domain.

As you control both domains, you can achieve this by including auth information in the URL. This is a complicated topic. You could homebrew something that would work, but if you aren't familiar with the security problems you would be better using an off the shelf single sign on solution.

Upvotes: 1

Related Questions