Jump to content
Dennis Spohr

Same session on subdomains

Recommended Posts

Hi all,

I have problems to keep my session on different subdomains (including www).

I've set the following config:

$config->sessionCookieDomain = '.mydomain.net';
$config->sessionCookieSecure = false;

But it doesn't work, I always loose the session when I switch between www.mydomain.net and example.mydomain.net.

Could it be because both of them have a different SSL-Certificate? (https)

Thanks for any help!
Dennis

Share this post


Link to post
Share on other sites

I had a similar problem this week, keeping losing sessions and I'm using Cloudflare to handle SSL.

But without www, as in my case it redirects to https://example.com.

I resolved it by adding this to the config file: 

/**
* http://cheatsheet.processwire.com/system-configuration/session/config-sessionfingerprint/
* Should login sessions be tied to IP and user agent? More secure, but will conflict with dynamic IPs. Default is true.
*/
$config->sessionFingerprint = false;

 

Share this post


Link to post
Share on other sites

Hi Sérgio,

thanks for your reply. 

Unfortunately this doesn't change anything for me - still not working.

Share this post


Link to post
Share on other sites

Hi all,

I'm trying to do it in a different way now.

On Domain A, I append the session_id:

$pages->get(123)->url.'?sid='.session_id();

On Domain B I placed the following code in the site/config.php:

if (isset($_GET['sid']))
{
  session_id($_GET['sid']);
}

session_start() is called after loading the config, right?

Unfortunately it still doesn't work. After doing this even the session on Domain A is destroyed.

I got this idea here: https://www.gonnalearn.com/2008/04/10/sharing-session-data-across-domains-with-php/

Any idea from anyone? Thanks!

Share this post


Link to post
Share on other sites

Does anyone has an idea? I tried many, many things and lost 3 days experimenting on it already.

I have the feeling that ProcessWire somehow does something wrong.

Thanks,
Dennis

Share this post


Link to post
Share on other sites

For testing I use both domains without an ssl-certificate and without any redirects.

I tried to set the cookie-domain with these 3 ways:

  • config.php: session_set_cookie_params(0, '/', '.mydomain.net');
  • config.php: $config->sessionCookieDomain = '.mydomain.net';
  • htaccess: php_value session.cookie_domain ".mydomain.net"

All of them have the same behavior: if I login on domain A and then on subdomain B, the sessions on both are destroyed.

I also played with these values:

$config->sessionFingerprint  = false;
$config->sessionCookieSecure = false;

But no change. I'm totally stuck now ...

Share this post


Link to post
Share on other sites

Not sure I can be much help, but can you describe the setup in some more detail?

These subdomains: does each subdomain have an independent installation of PW? Or a multi-site setup? In which case what 'flavour' of multi-site? (e.g. one of the kinds described in the docs, PW3 multi-instance, or Soma's module)

And the objective is to have a kind of single sign-in that works across the sites/subdomains?

Or do you just have a single-site PW installation that you can access from more than one subdomain?

 

Share this post


Link to post
Share on other sites

Hi Robin,

all domains/subdomains are using the same PW-installation. I use my htaccess-file to point each of them to a specific page.

Yes I want to login the user for both domains.

Quote

Or do you just have a single-site PW installation that you can access from more than one subdomain?

Exactly.

I use PW 3,0,42. The sessions are stored in the database.

Currently I'm trying to login the user via an ajax-request, but couldn't get this one to work either. But still working on this. Could be an interesting option since I use https everywhere and later on I will have other domains (not subdomains) as well.

Got this idea from here: 

 

Share this post


Link to post
Share on other sites

Hi all,

somehow I can't properly login with ajax. That's the content of my ajax-file (placed on Domain B, called on Domain A)

<?php namespace ProcessWire;

	$name = $sanitizer->text($input->post->name);
	$pass = $sanitizer->text($input->post->pass);

	if ($name != '' && $pass != '')
	{
		$test = $session->login($name, $pass);
		print $test->name;
		print $user->name;
	}

?>

The first print gives me the name like expected. Means, that the login was successful. But the second print returns "guest".

If I reload the page on Domain B, the user is not logged in. Any idea?

Thanks!

Share this post


Link to post
Share on other sites

If I look into the session-table, I get 3 entries:

  1. I go to Domain B, session is created. I login there and $user is set.
  2. While the login process Domain A is called via ajax and create another session. Also with $user set. All seems to be fine until here.
  3. I go to Domain A - but here another session is created. The session which was created via the ajax request is ignored. Why?

In the config I set

$config->sessionFingerprint = false;

Anyone an idea? There must be a solution somehow ...

Share this post


Link to post
Share on other sites

This config setting sounds like it should do what you're aiming for...

$config->sessionCookieDomain
null or string
Domain to use for sessions, which enables a session to work across subdomains, or NULL to disable (default/recommended). 

...but I see you have already tried that. Maybe try without the leading dot? If that setting still doesn't work I suggest opening a GitHub issue so Ryan can confirm if it's a bug or not. Sorry to hear this is proving so difficult to get working.

If you want to investigate some more yourself you could install the essential Tracy Debugger and start dumping stuff inside /wire/core/Session.php to try and find out where the issue is occurring.

  • Like 1

Share this post


Link to post
Share on other sites

I did a bit of testing today with $config->sessionCookieDomain and I couldn't get it to log me in across subdomains. Also, if I logged in on one subdomain and then tried to log in on the other subdomain I was sent in a endless redirection loop.

Share this post


Link to post
Share on other sites

Hi Robin,

thanks for your feedback. 

Yesterday I changed the whole structure of my project, so I don't have to use different domains. But still it's more like a workaround since now I don't have the full functionality I wanted to have.

I will open a GitHub Issue soon.

Thanks again!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By derelektrischemoench
      Hi guys,
      I'm facing a somewhat strange issue here which I can't quite wrap my head around. 
      I have a PW site in development which runs on three machines simultaneously, one staging server which is accessible as a preview instance for my customer, my PC and my laptop. 
      I have three completely identical settings on each of the three machines (same apache version, same php version, same codebase, same database); however on my PC I am unable to log into the backend. I get no error message or anything, when I try to login; i just get redirected to the login  page. I have already enabled database driven sessions (I enabled them on my laptop, then I dumped the database and copied it to my pc); I have cleared the cache directory; I cleared the sessions in the database; I cleared my browser caches, I tried different browsers, all to no avail; I am unable to login when using my pc, the instances all have the same .htaccess.
      Is there something I'm missing here or does anyone have a clue as to what my issue here might be? I'm using processwire 3.0.123
      Thanks for any input, greetings
      derelektrischemoench
       
      //edit: I've noticed something interesting; despite the directories of my web folders being the same layout; when I open the admin page i get a 404 on the processwire/ resource in the networks panel of chrome; on my laptop I get a  200.... I guess this is where my problem is; but why?
       
       
    • By derelektrischemoench
      Hi guys,
      I'm facing a somewhat strange issue here which I can't quite wrap my head around. 
      I have a PW site in development which runs on three machines simultaneously, one staging server which is accessible as a preview instance for my customer, my PC and my laptop. 
      I have three completely identical settings on each of the three machines (same apache version, same php version, same codebase, same database); however on my PC I am unable to log into the backend. I get no error message or anything, when I try to login; i just get redirected to the login  page. I have already enabled database driven sessions (I enabled them on my laptop, then I dumped the database and copied it to my pc); I have cleared the cache directory; I cleared the sessions in the database; I cleared my browser caches, I tried different browsers, all to no avail; I am unable to login when using my pc, the instances all have the same .htaccess.
      Is there something I'm missing here or does anyone have a clue as to what my issue here might be? I'm using processwire 3.0.123
      Thanks for any input, greetings
      derelektrischemoench
       
       
    • By Peter Knight
      How do you guys handle large session tables when sessions are being recorded to the database?
      I notice one of my sites has a session table of over 14MB 
      Am I missing a way in the Admin or a module to auto-remove any sessions older than X days?
      Thanks
       
    • By helmut2509
      In my PW-Application there is currently no session timeout.
      I want to set the user session to 60 minutes which means that after 60 minutes of inactivity the user will be redirected to the homepage.
      so I added the following entry to my config.php:
      $config->sessionExpireSeconds = 120; (120 seconds is just for testing).
      But after five minutes of inactivity I am still logged in, there is no redirection.
      Is there anything wrong or did I miss something?
      In php.ini I have the entry:
      session.cookie_lifetime = 3600
    • By celfred
      Hello,
      I'm facing a weird issue here. I have a page loaded with this code inside (my comments in line ends) :

      if ($session->allPlayers) { // Set in a head.inc file. I have also a $session->set('allTeams', $allTeams); in my head.inc   $allPlayers = $session->allPlayers; } else {   $allPlayers = getAllPlayers($user, false);   $session->set('allPlayers', $allPlayers); } bd($session->getAll()); // HERE, I get a number of 11 variables which is what I expect In the same page, I have a link pointing to ajaxContent.php that loads stuff via Ajax.
      I just write this in my ajaxContent.php to test :

      bd($session->getAll()); // HERE, I get only 9 variables. All my newly set $session variables ($allTeams and $allPlayers) are not conveyed to ajaxContent.php ??? Would you have any idea why is that ??? Another thing : I have a $session->headMenu set in my head.inc, and this one works fine. I can retrieve it in my ajaxContent.php page.
      I've tried cleaning all caches but it doesn't change anything 😞 
      At first, I expected it to be a 15-minute update to my site... It turns out to be a 2-hour issue and I'm still  stuck.
      Thanks for your ideas ! 
×
×
  • Create New...