Sub-domain PHP Session Question

[RLW]

Hi,

On one of my websites, I have some AJAX calls which are hard coded in my javascript to send their requests to http://www.example.com/ajaxfile.php. Sometimes, the AJAX request requires the user to be logged in.

Because the 'www' subdomain is hardcoded into the javascript, I've just discovered that if a user logs in at http://example.com rather than http://www.example.com any AJAX that requires they are logged in falls apart, because the script cannot find a session cookie for the 'www' sub-domain.

I've been fiddling around trying to get the session/cookie to spread across http://www.example.com and example.com but it doesn't seem to work.

My first question is, if I do this:

session_set_cookie_params(0, '/', '.example.com');

before I start the session, should the session cookie be accessible for example.com AND http://www.example.com?

Secondly, What else could be going wrong? Do you have any ideas that I could try?

Cheers,
Richard

 

[maximum]

Yes, the following should make it work across both the "www.example.com" and "example.com":

session_set_cookie_params(0, '/', '.example.com');

Note: I said "should". Browsers are picky on cookies, especially session cookies, and IE is the worst of them all. I'd recommend setting the session_name() first to help with the problem.

In addition, you could always try making sure no matter what URL/hostname the user types to get to your site that they always get logged-in via the one you want (ie: "example.com" only, in my example below). This saves issues with sessions & normal cookies with buggy browsers, and later if you change or add things like SSL for more security, you don't have to worry about rather hostname is an issue again.

<?
// We want to see if this was redirected back from "www.example.com".
if($_GET['nothere'] == "1"){
$BadHosty = "1";
}
// Check to make sure user came here via using "example.com" and not "www.example.com".
if($_SERVER['SERVER_NAME'] != "example.com"){
// If they came here via "www.example.com", and the URL included a query string (URL variables), we preserve them here.
if($_SERVER['QUERY_STRING'] == ""){
$qs = "?nothere=1";
}else{
$qs = "?nothere=1&".$_SERVER['QUERY_STRING'];
}
// Since user came here from "www.example.com", we redirect him to "example.com" itself, pass the query string, and add the "nothere=1" to the query string so that we know it later (see below).
header("LOCATION: http://example.com".$_SERVER['PHP_SELF'].$qs);
exit;
}}
// *** DO SESSION HERE before anything else ***
// Top of the rest of your page's code, like header/menu...
// Notify users, IF they got here via originally using the "www.example.com".
if($BadHosty == "1"){
echo '<span style="background-color:red;color:yellow">You originally came here using "www.example.com". Our website, for security reasons of goofy browsers, restricts logins to the non-"www" URL of our website. Please, update your bookmarks, or make sure not to use "www" in front of our domain next time you visit :)</span>';
}
// Rest of your code...
?>

You could, alternatively, use .htaccess to do the redirect. However, that can be a bit more tricky in some cases, and you asked about PHP and not .htaccess.

The above is one of a dozen possible solutions I could think of. But, for the moment, just see if that works for you.

maximum awaits someone like Eric to come and correct his code:P

 

[RLW]

Thanks heaps for the time you put into that reply!

I'll have a look at that code after the weekend and see how it works for me.

I've done 'www' redirects in .htaccess on other sites. Thats the road I was thinking I was going to have to go down, but I prefer to use a php solution so thats what I'll go with.

Interestingly enough, I haven't been using IE to test the session cookie stuff. I run Linux... and chrome was the culprit that didn't work. In any case I'd rather not rely on browsers if they are going to be that buggy.

 

[maximum]

No problem. Love messing around with code myself, especially PHP (albeit, no "expert"), so doing help for others gives me ideas too Let me know if works for you.

 

[Keral_Patel]

No problem. Love messing around with code myself, especially PHP (albeit, no "expert"), so doing help for others gives me ideas too Let me know if works for you.

I knew I would find you here :D

 

[maximum]

I knew I would find you here :D

<?
if($_SERVER['PHP_AUTH_USER'] == "-Nick-"){
$UseInvisibleMode = true;
}else{
$UseInvisibleMode = false;
}
$NickSeesMaximum = $UseInvisibleMode;
exit;
?>

maximum hides from Nick:P

 

[tinaCEO]

I have some kind of issue. Google brought me here. It is solved now. Thanks to all