跨子域的 PHP 会话 2
This is a complement of PHP Sessions across sub domains
I tried what is indicated on that question, and I see that the issue wasn't given.
So I need to have sessions across sub-domains (www.example.com
to forum.example.com
)
What I did on www.example.com
is
session_name("a_name");
session_set_cookie_params(0, '/', '.example.com');
session_start();
echo session_id();
$_SESSION['test'] = 123;
On forum.example.com
session_name("a_name");
session_set_cookie_params(0, '/', '.example.com');
session_start();
echo session_id();
print_r($_SESSION);
The session_id are exactly the same, but the $_SESSION doesn't output anything.
How to make forum.example.com
output 123
?
I tried session.cookie_domain = .example.com
but doesn't change anything
When I go on forum.example.com
it destroys the www.example.com
sessions, and it does the same on the other way, like if it detects that it comes from another sub-domain and erases everything for security.
The 2 sub-domains are on the same Debian server
Another thing that I noticed is that without session_name
and session_set_cookie_params
it still has exactly the same session_id, when I set session.cookie_domain
Thank You
解决方案Ok, I've thought about this for a while and I think I've got it.
First things first: since you are getting the same session id from both servers, we can rule out any cookie-related issues. Clearly, you are successfully creating a cookie named a_name
(though I'd recommend only alphanumeric characters for that cookie name) on www.example.com
, and successfully reading that a_name
cookie on forum.example.com
. But, like you said, you aren't getting any data from forum.example.com
. The session.cookie_lifetime = 0
is not an issue: that just means that the session cookie remains until the browser is closed.
We should delve into PHP's session handling a bit further. The session id you are reading out with session_id()
refers to a file on your server. Typically, that file is present in /tmp/sess_$session_id
. The contents of that file are your $_SESSION
array, serialized. (Keep in mind that the data is not serialized the same way that serialize()
in PHP does... but that's not important right now.).
I think this is a file permission-related issue:
/tmp/sess_$session_id
file is set withwww.example.com
's user and group.forum.example.com
attempts to open/tmp/sess_$session_id
, but doesn't have the proper permissions.- As a result, you get an empty result when trying to
print_r($_SESSION);
Solution:
Check your server's configuration file to make sure that www.example.com
and forum.example.com
are running as THE SAME USER AND GROUP. That is critical! For Apache, find your *.conf file:
User youruser
Group yourgroup
For nginx, find nginx.conf:
user youruser yourgroup;
If changing the server config files is not an option, then you should make sure that the users running the two sites are in the same group.
You can verify that this is the problem by first loading www.example.com
and then sudo ls -ltc sess_*
in your server's shell, via SSH (find the sess_
ending in your $session_id
). Next, load forum.example.com
and then sudo ls -ltc sess_*
again, to see the user and/or group change.
相关文章