跨子域的 PHP 会话 2

2022-01-24 00:00:00 session debian php cross-domain

This is a complement of PHP Sessions across sub domains
I tried what is indicated on that question, and I see that the issue wasn't given.

So I need to have sessions across sub-domains (www.example.com to forum.example.com)

What I did on www.example.com is

session_name("a_name");
session_set_cookie_params(0, '/', '.example.com');
session_start();

echo session_id();
$_SESSION['test'] = 123;

On forum.example.com

session_name("a_name");
session_set_cookie_params(0, '/', '.example.com');
session_start();

echo session_id();
print_r($_SESSION);

The session_id are exactly the same, but the $_SESSION doesn't output anything.
How to make forum.example.com output 123 ?

I tried session.cookie_domain = .example.com but doesn't change anything

When I go on forum.example.com it destroys the www.example.com sessions, and it does the same on the other way, like if it detects that it comes from another sub-domain and erases everything for security.

The 2 sub-domains are on the same Debian server

Another thing that I noticed is that without session_name and session_set_cookie_params it still has exactly the same session_id, when I set session.cookie_domain

Thank You

解决方案

Ok, I've thought about this for a while and I think I've got it.

First things first: since you are getting the same session id from both servers, we can rule out any cookie-related issues. Clearly, you are successfully creating a cookie named a_name (though I'd recommend only alphanumeric characters for that cookie name) on www.example.com, and successfully reading that a_name cookie on forum.example.com. But, like you said, you aren't getting any data from forum.example.com. The session.cookie_lifetime = 0 is not an issue: that just means that the session cookie remains until the browser is closed.

We should delve into PHP's session handling a bit further. The session id you are reading out with session_id() refers to a file on your server. Typically, that file is present in /tmp/sess_$session_id. The contents of that file are your $_SESSION array, serialized. (Keep in mind that the data is not serialized the same way that serialize() in PHP does... but that's not important right now.).

I think this is a file permission-related issue:

  1. /tmp/sess_$session_id file is set with www.example.com's user and group.
  2. forum.example.com attempts to open /tmp/sess_$session_id, but doesn't have the proper permissions.
  3. As a result, you get an empty result when trying to print_r($_SESSION);

Solution:
Check your server's configuration file to make sure that www.example.com and forum.example.com are running as THE SAME USER AND GROUP. That is critical! For Apache, find your *.conf file:

User youruser
Group yourgroup

For nginx, find nginx.conf:

user youruser yourgroup;

If changing the server config files is not an option, then you should make sure that the users running the two sites are in the same group.

You can verify that this is the problem by first loading www.example.com and then sudo ls -ltc sess_* in your server's shell, via SSH (find the sess_ ending in your $session_id). Next, load forum.example.com and then sudo ls -ltc sess_* again, to see the user and/or group change.

相关文章