Allow php sessions to carry over to subdomains

Here are 4 options.

Place this in your php.ini:

session.cookie_domain = ".example.com"

Or in your .htaccess:

php_value session.cookie_domain .example.com

Or as the first thing in your script:

ini_set('session.cookie_domain', '.example.com' );

Or in your php-fpm pool configuration for your site:

php_value[session.cookie_domain] = .example.com

        if(isset($_COOKIE['session_id']))
            session_id($_COOKIE['session_id']);
        Zend_Session::start(); //or session_start();
        if(!isset($_COOKIE['session_id']))
            setcookie('session_id', session_id(), 0, '/', '.yourdomain.com');

security be damned, if you are as frustrated with incomplete or bad answers as I am, this is your savior. It just works.

change the session name at the top of the core functions file like

 session_name('mysession');

then use the following code into the php page

  session_set_cookie_params(0,"/",".example.com",FALSE,FALSE);
  setcookie(session_name(), session_id(),0,"/","example.com");
  session_start();

finally change the default session name of the subdomain and remove the default cookie in subdomain's core functions file like:

 /*default session name*/
 session_name("mysession");
 /*remove the PHPSESSID and default session name from subdomain's cookie*/
 setcookie( "mysession", "",1,"/" );
 setcookie( "PHPSESSID", "",1,"/" );

if you continue with using your cookie name as PHPSESSID ,just remove all the functions with

 "mysession" string like session_name('mysession'), setcookie( "mysession", "",1,"/" );

then check your browser's existing cookies, just remove all the cookies of domain and subdomain, and repeat the process.

I know this is quite old - but to further expand on @CTT's suggestion - I needed to add a php.ini file in each sub-directory (that will be executing php code and requires the session) of my subdomain with the following text:

suhosin.session.cryptdocroot=Off
suhosin.cookie.cryptdocroot=Off

I hope this helps (it took me ages to figure this out).

Another option that worked for me: is to force the name of the session:

session_name("myWebsite");
session_start(); 

yes. ini_set is working. but remember to destroy all caches and cookies of the browser to see it works.

1. destroy all caches and cookies of your browser

2. in your xxx.example.com and yyy.example.com, your php files should start like this.

   ini_set('session.cookie_domain', '.example.com' ); session_start();
   

I just had this problem and it turns out I was using different php.ini files for two different sub-domains. These ini files specified different session.save_path variables. For obvious reasons this needs to be the same for all sub-domains that need to share sessions.

Try This:

session_start(); 

$sessionId =  session_id();

logged the user. When user will switch to other subdomain sent the session id in the URL like this user.mydomain.com/?id=$sessionId

$sessionId =  $_GET['id'];

session_start($sessionId); 

Now the user will get all the session values and stay logged in.

Before session_start() use session_set_cookie_params() replacing .domain.com with your domain like this example:

session_set_cookie_params(0, '/', '.domain.com');
session_start();

if(isset($_COOKIE['session_id']))
    session_id($_COOKIE['session_id']);
    Zend_Session::start(); //or session_start();

    if(!isset($_COOKIE['session_id']))
        setcookie('session_id', session_id(), 0, '/', '.yourdomain.com');

This is a good solution, but you cannot use it in all situations. For examples it will not work when you cannot rely on not-session cookies.

This actually MUST work if you use it correctly.

ini_set('session.cookie_domain', '.example.com' );

For example you need to put it before session_start() and also in all files that call session_start()