View Full Version : sessions and subdomains

03-02-2008, 11:47 AM
I have a session_start() on my domain


user logs in, session starts, all is good

when that session is open and the user clicks to another subdomain, say


I notice that the session is no longer open

when I return to foo.com the session reopens

session_start() is at the beginning of each script.

03-02-2008, 11:52 AM
and, no, I dont want to use php.net/session_set_cookie_params

what's the point of using sessions if you are reverting to cookies?

If this is true (cant use a session across a subdomain) then this is the first I have heard ofit!

03-02-2008, 12:56 PM
sessions are domain specific and the reason for using sessions is a lot more then just cookies it is also for security reasons. Users cant fiddle with session variables as easily as they can cookie files. Even sessions set a cookie for the session id and if it cant php rewrite every url with the session id in the url. So I suggest using the line below in your .htaccess probably on both subdomains so the session id will be passed across subdomains.

php_value session.cookie_domain .hostname.com

03-02-2008, 04:24 PM
I have had some shared hosting servers choke on "php_value" in the htaccess file.
If that happens to you, try something like this:

put in .htaccess file

SetEnvIfNoCase Host "^([a-zA-Z0-9_]+)\.yourdomain\.com(:[\d]+)?$" SUBDOMAIN=$1

put in global php inc file that all your subdomains use.

session_set_cookie_params ( 0 ,"/", preg_replace( "/^".( isset( $_SERVER["SUBDOMAIN"] ) ? $_SERVER["SUBDOMAIN"]:"www" )."\./","", $_SERVER["HTTP_HOST"] ) );

03-02-2008, 05:19 PM
FYI - you can only set php settings in a .htaccess file when php is running as a server module and the host permits it. When php is running as a CGI wrapper, you should be able to do the same in a local php.ini (again if the host permits it.)

Setting the session.cookie_domain like .hostname.com (with the leading dot) as digitalfiz posted is all that is needed. By explicitly setting it to www.hostname.com or subdomain.hostname.com will restrict it to work in just the www. or subdomain. address.

Setting the session.cookie_domain in php.ini (when available), a .htaccess file (when available), a local php.ini (when available), or in the script using an ini_set() statement or session_set_cookie_params() statement all accomplish the same thing, they set the value before the session_start() sends the session cookie to the browser.

07-11-2011, 09:32 AM
I have problems too.
i want to retrieve login info at subdomain call as my.domain.com/index.php
i logged in at domain.com/login.php

I using session to remember my login information and can easily pass to other subdomains. But sub domains can't get the login information.
I have google for few hrs and tried a lot of methods but can't work.
Assume that sucessfully login BUT session not being pass over.


session_set_cookie_params(0, '/', '.domain.com');
$_SESSION['login'] = $u;
header('Location: http://my.domain.com/index.php');


session_set_cookie_params(0, '/', '.domain.com');
$u = $_SESSION['login'];

but i got error at index.php saying that Undefined index: login

1) I doesn't know whether there is a need to put in both index.php and login.php or just one of them?

session_set_cookie_params(0, '/', '.domain.com');

2) avoid using .htaccess or other configuration files

Please help me!!

11-11-2011, 07:21 AM
HI xporiten,

My problem is the same as your scenario. Have you been able to find a fix?

11-11-2011, 02:33 PM
Try looking above. There are two replies with information.

11-11-2011, 02:38 PM
HI xporiten,

My problem is the same as your scenario. Have you been able to find a fix?

session_set_cookie_params is all that you need to use. Check the manual for setting the domain parameter.

11-11-2011, 02:38 PM
i know this is slightly off topic, but still related, is there a way to change the session max time length in htaccess, the reason i ask is, i changed the session max length in my phpinfo file, however the sessions only last 5 minutes if the user is inactive from changing the page.

11-11-2011, 02:57 PM
The problem with sessions is that they do timeout and all hosts are different. IF you move to another host then you may run into more problems.

Ideally, you should use a session table in your database which naturally has an unlimited lifetime. You can then put a number in your links/postfields that refers to that session (just be sure to use other means to check the user too otherwise you could find someone wipes all the stored sessions in your db).

You can serialize() and unserialize() arrays for storing them as strings.

It's slightly more work but it will save hassle in the long run.