0

I have a few websites on the same server with the following domains with the PHP session domain set to '.example.com' so the cookie is shared between the two websites:

  • example.com
  • shop.example.com

I also have a separate server with the following domain admin.example.com and want it to use its own session/cookie. But when there is a .example.com cookie, the admin.example.com website tries using that value instead of its .admin.example.com cookie value, causing session issues...

If I were to delete the .example.com cookie, the website works as intended by using the correct .admin.earlowen.com value.

I have set session.cookie_domain to .admin.example.com to no avail. Am I missing anything? Or is just not possible.

Improve this question
4
  • On admin.example.com server inside a web directory create a script with code: <? phpinfo(); ?> and run it. What values are displayed for the session.cookie_domain option? Commented Nov 21, 2017 at 17:35
  • @camelsWriteInCamelCase it reads: .admin.example.com Commented Nov 21, 2017 at 17:41
  • It is displayed as value in fields Local value and/or Master value in data from phpinfo() opposite session.cookie_domain directive? Commented Nov 21, 2017 at 18:11
  • The master has no value. Commented Nov 21, 2017 at 18:20

1 Answer 1

Reset to default
1

Since they share the same domain, they are the same site and share a session.

You can manually override this by using session_name in your admin section.

Something like this:

<?php
//this forces the admin page to recognize a different cookie as it's session id
session_name('PHPADMINSESSID');

//start the session normally
session_start();

There are a few other tricky ways to do this, but you should generally avoid tricky, because you can easily forget what you did and not be able to figure it out later. I will explain some of those also for reference though:

  • Dual subdomains alter the expected hostname if they can be used, and will cause two different inherent sessions. For example subdomain.example.com and example.com will share a session, but subdomain.username.example.com and example.com will not, and will use separate sessions. You should avoid this, because if you decide to implement some backend logic to manage the session and expect them to be shared, this will become very difficult to work around.

  • You can also force different sessions using session_id, but this requires that you manually track the id's and will get quite convoluted, and will also require you to set up some sort of data store to keep track of which sessions go to what, which adds a lot of unnecessary overhead.

Easiest way is to just use different session_name values for each session.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.