Jump to content

Same session on subdomains


Dennis Spohr
 Share

Recommended Posts

Hi all,

I have problems to keep my session on different subdomains (including www).

I've set the following config:

$config->sessionCookieDomain = '.mydomain.net';
$config->sessionCookieSecure = false;

But it doesn't work, I always loose the session when I switch between www.mydomain.net and example.mydomain.net.

Could it be because both of them have a different SSL-Certificate? (https)

Thanks for any help!
Dennis

Link to comment
Share on other sites

I had a similar problem this week, keeping losing sessions and I'm using Cloudflare to handle SSL.

But without www, as in my case it redirects to https://example.com.

I resolved it by adding this to the config file: 

/**
* http://cheatsheet.processwire.com/system-configuration/session/config-sessionfingerprint/
* Should login sessions be tied to IP and user agent? More secure, but will conflict with dynamic IPs. Default is true.
*/
$config->sessionFingerprint = false;

 

Link to comment
Share on other sites

Hi all,

I'm trying to do it in a different way now.

On Domain A, I append the session_id:

$pages->get(123)->url.'?sid='.session_id();

On Domain B I placed the following code in the site/config.php:

if (isset($_GET['sid']))
{
  session_id($_GET['sid']);
}

session_start() is called after loading the config, right?

Unfortunately it still doesn't work. After doing this even the session on Domain A is destroyed.

I got this idea here: https://www.gonnalearn.com/2008/04/10/sharing-session-data-across-domains-with-php/

Any idea from anyone? Thanks!

Link to comment
Share on other sites

For testing I use both domains without an ssl-certificate and without any redirects.

I tried to set the cookie-domain with these 3 ways:

  • config.php: session_set_cookie_params(0, '/', '.mydomain.net');
  • config.php: $config->sessionCookieDomain = '.mydomain.net';
  • htaccess: php_value session.cookie_domain ".mydomain.net"

All of them have the same behavior: if I login on domain A and then on subdomain B, the sessions on both are destroyed.

I also played with these values:

$config->sessionFingerprint  = false;
$config->sessionCookieSecure = false;

But no change. I'm totally stuck now ...

Link to comment
Share on other sites

Not sure I can be much help, but can you describe the setup in some more detail?

These subdomains: does each subdomain have an independent installation of PW? Or a multi-site setup? In which case what 'flavour' of multi-site? (e.g. one of the kinds described in the docs, PW3 multi-instance, or Soma's module)

And the objective is to have a kind of single sign-in that works across the sites/subdomains?

Or do you just have a single-site PW installation that you can access from more than one subdomain?

 

Link to comment
Share on other sites

Hi Robin,

all domains/subdomains are using the same PW-installation. I use my htaccess-file to point each of them to a specific page.

Yes I want to login the user for both domains.

Quote

Or do you just have a single-site PW installation that you can access from more than one subdomain?

Exactly.

I use PW 3,0,42. The sessions are stored in the database.

Currently I'm trying to login the user via an ajax-request, but couldn't get this one to work either. But still working on this. Could be an interesting option since I use https everywhere and later on I will have other domains (not subdomains) as well.

Got this idea from here: 

 

Link to comment
Share on other sites

Hi all,

somehow I can't properly login with ajax. That's the content of my ajax-file (placed on Domain B, called on Domain A)

<?php namespace ProcessWire;

	$name = $sanitizer->text($input->post->name);
	$pass = $sanitizer->text($input->post->pass);

	if ($name != '' && $pass != '')
	{
		$test = $session->login($name, $pass);
		print $test->name;
		print $user->name;
	}

?>

The first print gives me the name like expected. Means, that the login was successful. But the second print returns "guest".

If I reload the page on Domain B, the user is not logged in. Any idea?

Thanks!

Link to comment
Share on other sites

If I look into the session-table, I get 3 entries:

  1. I go to Domain B, session is created. I login there and $user is set.
  2. While the login process Domain A is called via ajax and create another session. Also with $user set. All seems to be fine until here.
  3. I go to Domain A - but here another session is created. The session which was created via the ajax request is ignored. Why?

In the config I set

$config->sessionFingerprint = false;

Anyone an idea? There must be a solution somehow ...

Link to comment
Share on other sites

This config setting sounds like it should do what you're aiming for...

$config->sessionCookieDomain
null or string
Domain to use for sessions, which enables a session to work across subdomains, or NULL to disable (default/recommended). 

...but I see you have already tried that. Maybe try without the leading dot? If that setting still doesn't work I suggest opening a GitHub issue so Ryan can confirm if it's a bug or not. Sorry to hear this is proving so difficult to get working.

If you want to investigate some more yourself you could install the essential Tracy Debugger and start dumping stuff inside /wire/core/Session.php to try and find out where the issue is occurring.

  • Like 1
Link to comment
Share on other sites

I did a bit of testing today with $config->sessionCookieDomain and I couldn't get it to log me in across subdomains. Also, if I logged in on one subdomain and then tried to log in on the other subdomain I was sent in a endless redirection loop.

Link to comment
Share on other sites

Hi Robin,

thanks for your feedback. 

Yesterday I changed the whole structure of my project, so I don't have to use different domains. But still it's more like a workaround since now I don't have the full functionality I wanted to have.

I will open a GitHub Issue soon.

Thanks again!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...