PHP not saving sessions on subdomain, ok on domain

0
votes

We have a CentOS 5.4 server serving a number of our websites. The server is managed by Plesk 9.2.3. Our websites are developed in php.

We have our main domain ourapplication.co.uk in /var/www/vhosts/ourapplication.co.uk/httpdocs, and our subdomain api.ourapplication.co.uk in /var/www/vhosts/ourapplication/subdomains/api/httpdocs

The following pages are in BOTH locations:

davidstest1.php

<?php
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta http-equiv="X-UA-Compatible" content="IE=7" />
<title>Code Blue Stats</title>
<link rel="stylesheet" type="text/css" href="css/style.css" />
</head>
<body>
<?php
echo "This is Davids Test 1. It will set SESSION['davids']='davids variable set' and then link
to davidstest2.php<br />
davidstest2 wil then do a session_start() call, and attempt to display SESSION['davids'] <br />";
$_SESSION['davids']='davids variable set';
?>
<a href="davidstest2.php">davidstest2.php</a>
</body>
</html>

davidstest2.php

<?php
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta http-equiv="X-UA-Compatible" content="IE=7" />
<title>Code Blue Stats</title>
<link rel="stylesheet" type="text/css" href="css/style.css" />
</head>
<body>
<?php
echo "This is Davids Test 2. It will do a session_start() call, and attempt to display SESSION['davids'] <br />";
$r=print_r($_SESSION, true);
echo "<pre>Session in <br />";
echo $r;
echo "<br /></pre>";
?>
<a href="davidstest2.php">davidstest2.php</a>
</body>
</html>

in the MAIN domain, davidstest2 returns

This is Davids Test 2. It will do a session_start() call, and attempt to display SESSION['davids'] 
Session in 
Array
(
    [siteMode] => none
    [davids] => davids variable set
) 
davidstest2.php

in the api SUBDOMAIN, davidstest2 returns

This is Davids Test 2. It will do a session_start() call, and attempt to display SESSION['davids'] 
Session in 
Array
(
)
davidstest2.php

Obviously, something in the Apache config or the Php config is wrong, as the session variable should be stored for both domains

Relevant phpinfo() reports:
Session Support enabled
Registered save handlers    files user
Registered serializer handlers  php php_binary wddx
session.auto_start  Off Off
session.bug_compat_42   Off Off
session.bug_compat_warn On  On
session.cache_expire    180 180
session.cache_limiter   nocache nocache
session.cookie_domain   no value    no value
session.cookie_lifetime 0   0
session.cookie_path /   /
session.cookie_secure   Off Off
session.entropy_file    no value    no value
session.entropy_length  0   0
session.gc_divisor  1000    1000
session.gc_maxlifetime  1440    1440
session.gc_probability  1   1
session.hash_bits_per_character 5   5
session.hash_function   0   0
session.name    PHPSESSID   PHPSESSID
session.referer_check   no value    no value
session.save_handler    files   files
session.save_path   /var/lib/php/session    /var/lib/php/session
session.serialize_handler   php php
session.use_cookies On  On
session.use_only_cookies    Off Off
session.use_trans_sid   0   0

Any ideas where to start looking?

2
phpapachesessionsubdomaincentos
I don't understand this entirely yet. Are you expecting the session cookie to be transported from domain to subdomain? - Pekka
No, no. api and main application are separate. Just that cookis used in ourapplicatin are fine, but cookies set while in api.ourapplication don't get set. - David Shields
It could just be me, but there seems to be some cross purpose talking between that last comment and your conversation under Gumbo's answer. Much of what Gumbo is saying seems to be about getting api.domain.com and domain.com to share session data. If you are saying that the problem is simply that api.domain.com isn't saving the session cookie at all, then that's a different matter. - Peter O'Callaghan
You're entirely correct - api.domain.com and domain.com have NO connection to each other, and there is no requirement to share session info. however, the (beast of a) server is set up seems to be affecting subdomains such that api.domain.com is NOT saving session info. And I don't know where to start looking. - David Shields

2 Answers

3
votes

Set session.cookie_domain to .ourapplication.co.uk (note the dot at the begin) to have the session cookies be valid for ourapplication.co.uk and all its subdomains.

1
votes

session.cookie_domain should be set according to cookie domain setting explained in http://php.net/setcookie

session_set_cookie_params() function is often used for this