...

View Full Version : Keeping Login Sessions Over a Subdomain



DarkLaika
01-17-2012, 09:00 PM
I've been struggling with this for a long time now...

How would I keep the $_SESSION values through all the subdomains on my site? They just don't seem to work on any domain but the main one.

Thanks.

Fou-Lu
01-17-2012, 09:48 PM
First, set your ini to session.use_trans_sid of 1. This will auto append a PHPSESSID or whatever your chosen session id is to the query string. Next, disable your browser from setting cookies. Finally, add a few pages that create sessions and bounce between the subdomains (the ini setting can be done in these pages instead for just testing purposes instead of altering ini).
Does that work?

If so, problem is simply your domain cookies. Set your session cookie domain from your ini's session.cookie_domain, or at a script level. This domain must be in the form of ".yoursite.com".

Let me know if that works. Remember to clear your cookies prior to trying.


Sorry, for a test you should set some more to verify. These can all be done inline with a script prior to session_start call:


ini_set('session.use_trans_sid', 1);
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 0);

This disables the forced cookies in sessions (which you want for something like a TLS site), but makes it easier to test.

DarkLaika
01-18-2012, 05:47 PM
First, set your ini to session.use_trans_sid of 1. This will auto append a PHPSESSID or whatever your chosen session id is to the query string. Next, disable your browser from setting cookies. Finally, add a few pages that create sessions and bounce between the subdomains (the ini setting can be done in these pages instead for just testing purposes instead of altering ini).
Does that work?

If so, problem is simply your domain cookies. Set your session cookie domain from your ini's session.cookie_domain, or at a script level. This domain must be in the form of ".yoursite.com".

Let me know if that works. Remember to clear your cookies prior to trying.


Sorry, for a test you should set some more to verify. These can all be done inline with a script prior to session_start call:


ini_set('session.use_trans_sid', 1);
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 0);

This disables the forced cookies in sessions (which you want for something like a TLS site), but makes it easier to test.


I'm really sorry for not mentioning this before, but I'm sorta new to PHP. If I private messaged you the code for my page, would you be able to tell me where everything should go?

Thanks!

Fou-Lu
01-18-2012, 06:08 PM
No, keep everything within the thread since that allows others to reply.
Any ini change can go at the top of the script. Session changes in particular should be done before the session_start which is typically the first line of a script that uses a session.

DarkLaika
01-19-2012, 05:15 PM
So what exactly do I put at the top of my document then?

Fou-Lu
01-19-2012, 05:49 PM
ini_set('session.use_trans_sid', 1);
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 0);


Is what you would put in each of your test scripts prior to opening a session_start().

DarkLaika
01-19-2012, 06:15 PM
ini_set('session.use_trans_sid', 1);
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 0);


Is what you would put in each of your test scripts prior to opening a session_start().

And what should I do after adding this code?

Sorry about this.

Fou-Lu
01-19-2012, 06:18 PM
Write links to go between the test scripts across the subdomains and print out the data within a session.

DarkLaika
01-19-2012, 06:25 PM
Write links to go between the test scripts across the subdomains and print out the data within a session.

Will this work in a login form?

Fou-Lu
01-19-2012, 06:26 PM
Sure. The purpose of this test is to determine if the sessions themselves are established properly and the issue is with the cookie domain.

DarkLaika
01-19-2012, 06:54 PM
Sure. The purpose of this test is to determine if the sessions themselves are established properly and the issue is with the cookie domain.

It's worked! Thank you so much!

Fou-Lu
01-19-2012, 07:14 PM
It's worked! Thank you so much!

Okay, then to fix the problem you need to set the session.cookie_domain directive to ".yoursite.com". This can be configured at any level of run, but I'd suggest to modify either php.ini or add a php_value to a perdir in an .htaccess file.
The fix above is only to confirm the issue is the cookie domain. Those with cookies enabled will still have issues since the sid is not passed via get if the cookie is successfully set.

DarkLaika
01-19-2012, 07:33 PM
Okay, then to fix the problem you need to set the session.cookie_domain directive to ".yoursite.com". This can be configured at any level of run, but I'd suggest to modify either php.ini or add a php_value to a perdir in an .htaccess file.
The fix above is only to confirm the issue is the cookie domain. Those with cookies enabled will still have issues since the sid is not passed via get if the cookie is successfully set.

How would I do this? I don't seem to have a php.ini file.

Fou-Lu
01-19-2012, 09:16 PM
I'd contact your host to find out if a local php.ini will work (cgi). Otherwise, check if a .htaccess is allowed. If neither of the two are allowed, every script has to be modified to set:


ini_set('session.cookie_domain', '.yoursite.com');

DarkLaika
01-19-2012, 09:41 PM
I'd contact your host to find out if a local php.ini will work (cgi). Otherwise, check if a .htaccess is allowed. If neither of the two are allowed, every script has to be modified to set:


ini_set('session.cookie_domain', '.yoursite.com');


.htaccess is allowed, I can use that.

Fou-Lu
01-19-2012, 09:54 PM
.htaccess is allowed, I can use that.

Then set it from there:


php_value session.cookie_domain ".yoursite.com"

DarkLaika
01-20-2012, 03:48 PM
Then set it from there:


php_value session.cookie_domain ".yoursite.com"


I get an internal server error:


RewriteEngine on
RewriteCond %{HTTP_HOST} ^mcbanlist.net$
RewriteRule ^/?$ "http\:\/\/www\.mcbanlist\.net\/" [R=301,L]

<Files 403.shtml>
order allow,deny
allow from all
</Files>

RewriteCond %{HTTP_HOST} ^mcbanlist\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mcbanlist\.net$
RewriteRule ^mywot3929c9b94ea01ec12be8\.html$ "http\:\/\/www\.mcbanlist\.net\/" [R=301,L]

ErrorDocument 400 /400.shtml
ErrorDocument 401 /401.shtml
ErrorDocument 402 /402.shtml
ErrorDocument 403 /403.shtml
ErrorDocument 404 /404.shtml
ErrorDocument 405 /405.shtml
ErrorDocument 406 /406.shtml
ErrorDocument 407 /407.shtml

RewriteCond %{HTTP_HOST} ^mcbanlist\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mcbanlist\.net$
RewriteRule ^about\/?$ "http\:\/\/www\.mcbanlist\.net\/about\/" [R=301,L]

php_value session.cookie_domain ".mcbanlist.net"

Fou-Lu
01-20-2012, 03:56 PM
Move it above your rewrite engine.

DarkLaika
01-20-2012, 03:58 PM
Move it above your rewrite engine.

Same problem.

Fou-Lu
01-20-2012, 04:07 PM
Problem is elsewhere. I successfully added the php_value into .htaccess and verified it against the ini settings.
Check the apache error logs to see if it gives more reasoning as to why the problem exists. Try blocking the mod_rewrite into an <ifModule mod_rewrite.c> block as well.

DarkLaika
01-20-2012, 05:04 PM
Problem is elsewhere. I successfully added the php_value into .htaccess and verified it against the ini settings.
Check the apache error logs to see if it gives more reasoning as to why the problem exists. Try blocking the mod_rewrite into an <ifModule mod_rewrite.c> block as well.

There's nothing inside the error_log

And how would I go about blocking the mod_rewrite into an <ifModule mod_rewrite.c> block?

DarkLaika
01-22-2012, 03:15 PM
Fou-Lu sorry to bother you but I really need help with this.

Fou-Lu
01-22-2012, 03:24 PM
Just as is:


php_value session.cookie_domain ".yoursite.com"
<IfModule mod_rewrite.c>
RewriteEngine on
# rules here
</IfModule>


What this does is only attempt to run rewrite engine if mod_rewrite.c module is available (so it will not throw errors if attempting to use a module that does not exist). I don't know if this will solve your issue, I've successfully added the cookie domain after a block of rewrite without using mod_rewrite.c check. You may need to find an apache configuration wizard to help with this.

DarkLaika
01-22-2012, 03:34 PM
Just as is:


php_value session.cookie_domain ".yoursite.com"
<IfModule mod_rewrite.c>
RewriteEngine on
# rules here
</IfModule>


What this does is only attempt to run rewrite engine if mod_rewrite.c module is available (so it will not throw errors if attempting to use a module that does not exist). I don't know if this will solve your issue, I've successfully added the cookie domain after a block of rewrite without using mod_rewrite.c check. You may need to find an apache configuration wizard to help with this.

Still getting 500 internal server error with this:


php_value session.cookie_domain ".mcbanlist.net"
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^mcbanlist.net$
RewriteRule ^/?$ "http\:\/\/www\.mcbanlist\.net\/" [R=301,L]

RewriteCond %{HTTP_HOST} ^mcbanlist\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mcbanlist\.net$
RewriteRule ^mywot3929c9b94ea01ec12be8\.html$ "http\:\/\/www\.mcbanlist\.net\/" [R=301,L]

RewriteCond %{HTTP_HOST} ^mcbanlist\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mcbanlist\.net$
RewriteRule ^about\/?$ "http\:\/\/www\.mcbanlist\.net\/about\/" [R=301,L]
</IfModule>

<Files 403.shtml>
order allow,deny
allow from all
</Files>

ErrorDocument 400 /400.shtml
ErrorDocument 401 /401.shtml
ErrorDocument 402 /402.shtml
ErrorDocument 403 /403.shtml
ErrorDocument 404 /404.shtml
ErrorDocument 405 /405.shtml
ErrorDocument 406 /406.shtml
ErrorDocument 407 /407.shtml

So if .htaccess isn't working, what should I do next? Where would I find a. apache configuration wizard?

Fou-Lu
01-22-2012, 03:35 PM
If its the php_value setting that is causing it, you can check to make sure that .htaccess is configured for allowoverride all.
If this cannot be altered and a local php.ini is not an option, you need to specify ini_set('session.cookie_domain', '.yoursite.com'); in every script using sessions prior to session_start().

DarkLaika
01-22-2012, 03:38 PM
If its the php_value setting that is causing it, you can check to make sure that .htaccess is configured for allowoverride all.
If this cannot be altered and a local php.ini is not an option, you need to specify ini_set('session.cookie_domain', '.yoursite.com'); in every script using sessions prior to session_start().

How would I make sure that my .htaccess is configured to allowoverride all? I'm pretty sure I can do just about anything with it, my host is pretty good for this sort of thing.

Once again, sorry for the questions.

Fou-Lu
01-22-2012, 05:49 PM
AllowOverride is specified in httpd.conf which is likely controlled by the host.
Course, I'm not sure if php_value will trigger a 500 if you are running a cgi. I wouldn't think so, but it is possible. phpinfo() a page up and see what your sapi is. If its cgi then you can probably use a local php.ini to set session.cookie_domain=.yoursite.com instead.

DarkLaika
01-22-2012, 06:33 PM
AllowOverride is specified in httpd.conf which is likely controlled by the host.
Course, I'm not sure if php_value will trigger a 500 if you are running a cgi. I wouldn't think so, but it is possible. phpinfo() a page up and see what your sapi is. If its cgi then you can probably use a local php.ini to set session.cookie_domain=.yoursite.com instead.

Once again, sorry, but how do I phpinfo() a page up and see what my sapi is? And I don't currently have a php.ini, do I need to create one?

Fou-Lu
01-22-2012, 08:54 PM
phpinfo() is what you call. Look for the server api which will be in the first configuration block.

DarkLaika
01-25-2012, 06:45 PM
phpinfo() is what you call. Look for the server api which will be in the first configuration block.

I'm afraid that once again I'm not sure how to call something, and I have no idea what the first configuration block is.

Fou-Lu
01-25-2012, 06:48 PM
<?php
phpinfo(INFO_GENERAL);
?>

Look for Server API or SAPI.


As an alternative, a simple print php_sapi_name(); will also work.

DarkLaika
01-25-2012, 08:07 PM
My server API is CGI/FastCGI

Fou-Lu
01-25-2012, 08:34 PM
A local php.ini file may work then.
In your site root just create a php.ini and add the line:


session.cookie_domain=".yoursite.com"

Replacing yoursite.com with the correct dns. Then either check a full phpinfo() or create a new page and run print ini_get('session.cookie_domain');. Does this show the configuration specified?

DarkLaika
01-26-2012, 05:00 PM
Still doesn't seem to be doing it for me. I'm getting two sessions in my cookies, one for www.mcbanlist.net and one for .mcbanlist.net

Fou-Lu
01-26-2012, 05:06 PM
Delete your cookies first; if you had previous cookies (although session cookies do not normally persist, so you may want to see what is in the cookies) they will interfere. Don't forget you'll need to specify your domain if you use setcookie as well.
Does the result of this show your domain: printf('Cookie domain: %s', ini_get('session.cookie_domain'));? If so, the php.ini is applied.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum