stackoom
  简体   繁体   中英

PHP - Do not allow sessions across subdomains

 原文  2014-06-12 21:30:00       php/ session/ subdomain

Question

Ok, so I'm having an issue with a project I'm working on. I have a site with multiple subdomains. However, I've setup each subdomain to be it's own hosting account (meaning it has it's own hosting user and such). Now, I DON'T want cookies to be shared across the domains. One domain is a signup domain ( http://signup.mydomain.com ), one is a login domain ( http://login.mydomain.com ). However, after they signup(on the signup subdomain) I want to force them to log in on the "log in subdomain".

In firefox everything works fine. But for some reason in Internet explorer it's not creating a new session when they go from one subdomain to the other. It's still trying to read the old session file...but this isn't going to work because the session file is owned by the signup user...not the login user. Hence I am getting an error: open(/tmp/sess_91757a42a3b0ff0415e07ac62e603790, O_RDWR) failed: Permission denied (13), which of course makes sense because of the file ownership issue.

Now, what I can't figure out is how to force internet explorer to start a new session between the two subdomains, and treat them like they are seperate sites (like they technically are).

Here is code I've tried with no success:

on the signup subdomain: 

session_set_cookie_params(0, '/', 'signup.mydomain.com'); 
session_start();

on the login subdomain: 

session_set_cookie_params(0, '/', 'login.mydomain.com'); 
session_start();

Then I also tried: 

session_destroy();
$old_sessionid = session_id();
session_regenerate_id();
session_start();

Lastly, I tried different variations of above, with this as well (before the session_start(): 

ini_set('session.cookie_domain', 'signup.mydomain.com' );

1 answers

solution1
 0  2014-06-13 16:29:21

Ok, so i think I actually figured out what was going on. I just happened to stumble upon it when looking over another issue with the site. The root domain is using wordpress with the bulletproof security pro security module. It turns out, by default they deny HEAD requests with this in the .htaccess file: 

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]

It's supposed to be in there to stop junk and spam bots, but apparently this was causing an issue with IE not releasing the session. As soon as I removed the "HEAD" from it, the cookies started working the way they should. Hopefully this helps someone else out in the future.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP Sessions across multiple domains (not subdomains) Allow PHP sessions to carry over to subdomains How do I use sessions across subdomains on localhost? PHP Session Across Subdomains PHP $_SESSION across subdomains PHP - allow domains, not subdomains PHP: Sessions across includes php sessions to carry over to subdomains dont work PHP Sessions with multiple Subdomains on the same Server Sessions and subdomains
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM