PHP session is getting reset between subdomains

Question

I have a website running with two subdomains, both of which require login (based on the same DB access credentials). In order to make it easier for users, I wanted to change

Answer 1

My suspect is the suhoshin project's session encryption feature, this patchset is included in most debian based systems. It can be configured to encode the session file's content with a key generated from various sources, to protect the session contents from other php scripts running on the same machine (shared hosting) or session hijacking. One of the sources is the docroot (enabled by default) which is usually different on every subdomain.

Check if its installed

A simple phpinfo() will report the extension and it's settings, look for a block named suhosin and below that see if suhosin.session.encrypt and suhosin.session.cryptdocroot is on

Disabling the encryption

Obviously you can edit your php.ini to disable the whole encryption or only the docroot part if you have access to the server.

If you don't, and the server is running apache, try disabling it in the .htaccess file of your php app's root like this:

php_flag "suhosin.session.cryptdocroot" 0

If its working you should see the difference in the phpinfo() output. (Local value column)

If your host doesn't allow a .htaccess file, you can set the same variable in php, but its important to do it before session_start(). Hopefully you have some kind of a front controller to place this in.

ini_set('suhosin.session.cryptdocroot', 0);
phpinfo();

The output of the phpinf should be same as in the .htaccess method, cryptdocroot line with an "Off" local value.