4

I'm implementing login and registration for multiple domains that talk to a single database - we'll call them i.domain-a.com and i.domain-b.com. Both these subdomains have A records in the DNS that point to a single server - thus making i.domain-a.com/hello.php and i.domain-b.com/hello.php run the same thing.

So, if I create a session on domain A, then I can go to domain B and retrieve the same session information. To implement completely separate login systems for both of them that utilise the same PHP functions I have written to handle registration, should I do something with session_name() based on $_SERVER['HTTP_HOST']? I'm not sure how similar my situation is to this guy, and hope this question isn't too similar.

Community
  • 1
  • 1
Sam Starling
  • 5,298
  • 3
  • 35
  • 52
  • I guess that in addition, I should have asked: If using a different `session_name()` for each domain isn't a sensible option, then what is the best way to handle this? – Sam Starling Feb 10 '10 at 13:16
  • you can also set the "session.cookie_domain" [type:string] runtime directive (init_set()), at the first line of your php app in everydomain (my answer is below but uses a call to the session_name() function) – Andreas Feb 10 '10 at 13:50

3 Answers3

3

To avoid problems with sessions you should use the session_name('myapplication') [ session_name({UNIQUE_APP_ID}) ].

The problem you are mentioning can occur in more simple situations where there is an administration panel and a sign-in form for the users of the web site.

If session_name is not used a signed-in user could have access to the admin. panel but this depends on the auth. scheme and mechanism you have implemented.

regards,

Andreas
  • 5,305
  • 4
  • 41
  • 60
2

Sessions/cookies are domain-specific and don't rely on DNS settings. If you want both system's sessions to be separate while they live on separate domains you're already all set.

I believe session_name() would've actually been the best solution for that other guy's question, two separate sessions on the same domain.

nortron
  • 3,873
  • 1
  • 24
  • 27
  • Thanks. I've got a debug page which simply shows the session ID at the moment, if I go to `i.domain-a.com/session.php` and `i.domain-a.com/session.php`, I see the same thing. If I do `session_name($_SERVER['HTTP_HOST']);` before `session_start();` then I get different IDs for each domain. – Sam Starling Feb 10 '10 at 13:18
  • That's because i.domain-a.com/session.php and i.domain-a.com/session.php are the same page. – Quentin Feb 10 '10 at 13:26
  • Session IDs are server specific however cookies are domain specific. The user's cookies (one for each domain) will each be pointing to unique session IDs thus avoiding any overlap. Try setting up a script that sets a session variable and a script that displays that variable. Run the first from one domain and the second from the other, the second should never get the first's values until it's run from the same domain. – nortron Feb 10 '10 at 13:28
  • If someone were to manually pass the session ID into the PHP scripts they could (and you could if you wanted to provide this feature) transfer a session's data across domains. To completely prevent this you could definitely use your session_name()/HTTP_HOST combination. – nortron Feb 10 '10 at 13:30
0

No. The mechanism that stops different users getting the same session works on a per server basis, not a per hostname basis.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Therefore, with that in mind, is it safe to do `session_name($_SERVER['HTTP_HOST']);` before `session_start();` to separate the sessions for each domain on the same server? – Sam Starling Feb 10 '10 at 13:20
  • I've also realised that implementing the above causes a new ID to be generated every visit, which isn't ideal. I want the same ID until the session expires or is destroyed. Apologies for such rapid replies... – Sam Starling Feb 10 '10 at 13:25