Reputation: 433
Session ID restarts after changing URL from "www." to non-"www."
I noticed that the cookie session ID in php changes after changing your url from www. to non-www. For example, from "https://mathtutortime.com/account" to https://www.mathtutortime.com/account".
If I redirect from "https://mathtutortime.com/login" to "https://www.mathtutortime.com/account", I am setting the session ID:
In https://mathtutortime.com/login I set a session variable and redirect:
$_SESSION["username"] = $username;
$_SESSION['loggedin'] = true;
header("Location: ../account");
<?php
session_start();
echo session_id();
echo " ";
if($_SESSION['loggedin'])
{
echo "You are logged in! Our site is still under construction, but it's growing quickly!<br><br>Please click one of the two buttons if you want tutoring, or if you want to be a tutor at the bottom of the screen.<br><br>";
}
?>
Now, If I change in my browser from "https://mathtutortime.com/account" to https://www.mathtutortime.com/account" I notice that my session ID changes from u5ns3nna7ntp7kbekkkk71afn6 to pqrna7ntp7dsbkkkk71afn6, for example.
I am still able to output the message because I had set $_SESSION['loggedin']. My question, however has to do with the fact that the session ID changes if somebody does this. Does this open up to any security risks if the user can do this?
Thanks,
Upvotes: 1
Views: 287
Answers (1)
Reputation: 1583
No, that's not a security risk. Session cookies are not shared among domain and subdomain by default, which is why you see a new session created.
I usually suggest that people pick the domain/hostname they want to use (e.g. domain.com OR www.domain.com) and use code or rewrite to force all users down that particular path when the user first visits the page. It's less confusing and messy that way.
However, if you don't want that and simply want the session cookies to be shared across subdomains, you can do this before calling session_start:
session_set_cookie_params(0, '/', '.yourdomainhere.com');
Just be mindful that sharing session cookies across subdomains like this CAN be a security risk if there are other subdomains that you do not control.
Upvotes: 1
Related Questions
- PHP Session lost when switching from http://domain.com to http://www.domain.com
- PHP session_id regenerated on refresh
- PHP session login different for url with www and without www?
- session is not setting when session name and session id changes
- example.com and www.example.com are treated as different sessions
- Changing of www makes session expire
- Session not starting when using www
- PHP Session is treating as different domain, after adding a 'www.' infront of webpage
- different session with url's with-www and without-www
- PHP session cookie seems to gone when URL does not have WWW in front of it