PHP Multi-Domain Sessions; ini_set Not Working?

Question

I\'m trying to set it up so if you log in to my website the session carries over to all sub-domains of my website. For example, if you go to domain.com and log in, then go t

Answer 1

I know it's late after the question, but seeing this is the only proper answer I found and people are going to use it since the answer is voted up, I wanted to note that it is a session hack waiting to happen. So a solution for this:

define("ENCRYPTION_KEY", "whatever you want to use as key"); // encryption key
if (isset($_COOKIE['SessionEncrypt']) && !empty($_COOKIE['SessionEncrypt'])) {
    //echo "get cookie: ".$_COOKIE['SessionEncrypt']; //urldecode(decrypt($_COOKIE['SessionEncrypt'], ENCRYPTION_KEY));
    session_id(decrypt(urldecode($_COOKIE['SessionEncrypt']), ENCRYPTION_KEY));
    //session_id($_COOKIE['SessionEncrypt']);
}
session_start();
setcookie('SessionEncrypt',urlencode(encrypt(session_id(), ENCRYPTION_KEY)),time()+86400,'/','yourdomain.com'); // will work cross subdomain

To encrypt/decrypt (found it here somewhere, works like a charm):

function encrypt($pure_string, $encryption_key) {
    $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    $encrypted_string = mcrypt_encrypt(MCRYPT_BLOWFISH, $encryption_key, utf8_encode($pure_string), MCRYPT_MODE_ECB, $iv);
    return $encrypted_string;
}

function decrypt($encrypted_string, $encryption_key) {
    $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    $decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH, $encryption_key, $encrypted_string, MCRYPT_MODE_ECB, $iv);
    return $decrypted_string;
}

This way nobody can read the session in the cookie. Cause you don't have to be a genius to insert a cookie in your browser. With this, people tend to forget that sessions are in fact readable from a server. If your browser can reach it, so can other programs.

Answer 2

First verify the ini_set

<?php
ini_set('session.cookie_domain','.domain.com');

echo ini_get('session.cookie_domain');

session_start();  
$_SESSION['variable'] = 1; 

?> 

---

Update:

Just thought about it.. Did you also try:

<?php

session_set_cookie_params( 0, "/", ".domain.com", false, false); 
session_start();  
$_SESSION['variable'] = 1; 

?> 

---

Update 2: ALternate handling (manual cookie handling)

<?php

session_start();  
session_regenerate_id();
$_SESSION['variable'] = "String Test";

setcookie('PHPSESSID',session_id(),time()+86400,'/','.domain.com');
echo session_id();
?> 

and in the subdomain file

<?php  
if (isset($_COOKIE['PHPSESSID']) && !empty($_COOKIE['PHPSESSID'])) session_id($_COOKIE['PHPSESSID']);

session_start();  
echo $_SESSION['variable'] . "<br />"; 
echo $_COOKIE['PHPSESSID'] . "<br />";
echo session_id();
?> 

---

Three lines you could add to every file to hand off / handle session info

if (isset($_COOKIE['PHPSESSID']) && !empty($_COOKIE['PHPSESSID'])) session_id($_COOKIE['PHPSESSID']);
session_start();  
if (!isset($_COOKIE['PHPSESSID'])) setcookie('PHPSESSID',session_id(),time()+86400,'/','.domain.com');

What info are you passing through the session? Or are you using it to handle logins, etc?

Answer 3

Well, if all else fails, you could implement your own sessions - all $_SESSION is in PHP is a wrapper around a cookie set/get and a file-backed datastore. If you store a cookie manually with an identifier and then associate data with that identifier (say, in a DB, even), you can get essentially the same functionality (serialize() may help if you want to store a bunch of varying session data).