Member Avatar for mt2009

I heard the best method to share session across multiple domains on same server is to use custom php session handler. (ie, domain name different like abc.com, xyz.com but single application.)

But after i tried it, even custom php session handler that using SAME DATABASE ON 1 SERVER can't share session, when i tried to read cookie value from different domain.

Here's my custom session handler, Please kindly check or fix if something missing here. because i've tried it for a week now. can't get it to work

P.S. To get previous session id, i use link such as: newdomain.com/?ssid=[SESSION_ID]


SESSION_INCLUDE.PHP

<?php 
 
// config 
$m_host = "localhost"; //MySQL Host 
$m_user = "db_user"; //MySQL User 
$m_pass = "db_pass"; //MySQL Pass 
$m_db   = "db_name"; //MySQL Database
$table  = "sess_data";
 
$session_expire = 600; // Session expire time, in seconds (minutes * 60 = seconds) 
 
$gc_probability = 100; // Probability that the garbage collection function will be called. 50% chance by default 
 
ini_set("session.gc_probability",$gc_probability); 
 
/* Open function; Opens/starts session 
 
   Opens a connection to the database and stays open until specifically closed 
   This function is called first and with each page load */ 
 
function open ($s,$n) // do not modify function parameters 
{ 
  global $session_connection, $m_host, $m_user, $m_pass, $m_db; 
  $session_connection = mysql_pconnect($m_host,$m_user,$m_pass); 
  mysql_select_db($m_db,$session_connection); 
  return true; 
} 
 
/* Read function; downloads data from repository to current session 
 
   Queries the mysql database, unencrypts data, and returns it. 
   This function is called after 'open' with each page load. */ 
function read ($id) // do not modify function parameters 
{ 
  global $session_connection,$session_read,$table; 
  $query = "SELECT data FROM `$table` WHERE id=\"{$id}\""; 
  $res = mysql_query($query,$session_connection); 
  if(mysql_num_rows($res) != 1) return ""; // must return string, not 'false' 
  else 
  { 
    $session_read = mysql_fetch_assoc($res); 
    $session_read["data"] = base64_decode($session_read["data"]); 
    return $session_read["data"]; 
  } 
} 
function write ($id,$data) // do not modify function parameters 
{ 
  if(!$data) { return false; } 
  global $session_connection, $session_read, $session_expire, $table; 
  $expire = time() + $session_expire; 
  $data = mysql_real_escape_string(base64_encode($data)); 
  if($session_read) $query = "UPDATE `$table` SET data=\"{$data}\", expire=\"{$expire}\" WHERE id=\"{$id}\""; 
  else $query = "INSERT INTO sess_data SET id=\"{$id}\", data=\"{$data}\", expire=\"{$expire}\""; 
  mysql_query($query,$session_connection); 
  return true; 
} 
function close () 
{ 
  global $session_connection; 
  mysql_close($session_connection); 
  return true; 
} 
function destroy ($id) // do not modify function parameters 
{ 
  global $session_connection,$table; 
  $query = "DELETE FROM `$table` WHERE id=\"{$id}\""; 
  mysql_query($query,$session_connection); 
  return true; 
}
function gc ($expire) 
{ 
  global $session_connection,$table; 
  $query = "DELETE FROM `$table` WHERE expire < ".time(); 
  mysql_query($query,$session_connection); 
}
// Set custom handlers 
session_set_save_handler ("open", "close", "read", "write", "destroy", "gc"); 
 
// Start session 
session_start(); 
?>

// MySQL Database Table

create table sess_data (
id2 int not null auto_increment,
id text not null,
data text,
expire int not null,
primary key(id2)
);
Edited by mt2009 because: n/a
  • 4 Contributors
  • 8 Replies
  • 733 Views
  • 9 Months Discussion Span
  • Latest Post Latest Post by tolinho

Recommended Answers

All 8 Replies

Member Avatar for mt2009

Check out this object oriented session handler: http://www.nateklaiber.com/blog/2006/05/10/custom-php-session-handler

Also this procedural session handler:
http://phpsecurity.org/code/ch08-2

The base64 encoding/decoding is superfluous because the data goes into a serialized array within the database.

the purpose of that script is exactly same with mine by using session_set_save_handler

but i can't get it to work on different domain on same server & same database!

Member Avatar for mschroeder

If you visit domain abc.com you will get a session id. Session ids are stored via a cookie. You can not read cookies from another domain via php.

So when you visit xyz.com its going to look for a session id in a cookie for domain xyz.com it won't find one and it will create a new session.

If by multiple sites you're using sub1.domain.com and sub2.domain.com you can have it set the cookie for .domain.com and all subdomains will be able to access it.

Member Avatar for mt2009

If you visit domain abc.com you will get a session id. Session ids are stored via a cookie. You can not read cookies from another domain via php.

So when you visit xyz.com its going to look for a session id in a cookie for domain xyz.com it won't find one and it will create a new session.

If by multiple sites you're using sub1.domain.com and sub2.domain.com you can have it set the cookie for .domain.com and all subdomains will be able to access it.

"Session ids are stored via a cookie. You can not read cookies from another domain via php."

Yes you absolutely can..

okay when you visit abc.com you will get session id right.. let say abc.com gives ur browser session id "123456789", then ur browser will store that sess id to cookie.

here's the way how you can pass that sess id to new domain (xxx.com)
put link inside abc.com php script:
http://www.xxx.com/?ssid=<?php echo $_COOKIE;?>

then the visitor of abc.com will see link like this:
http://www.xxx.com/?ssid=123456789

VIOLA! xxx.com can get that sess id using $_GET

now the problem is, how can both of that two site can share the session data (its on one server) (it's not working on 1 same /tmp file, and even not working on 1 same database when using custom php session handler)

Edited by mt2009 because: n/a
Member Avatar for mt2009

Are you setting the session id that is passed via the url before calling session_start on domain xyz?

<?php
if( isset($_GET['ssid'] ) ){
  session_id( $_GET['ssid'] );
}

session_start();

http://us3.php.net/manual/en/function.session-id.php

sorry, i think the problem is not about the passing session id to new domain.. because it's still on testing phase i just use firefox addon to manually change the cookie value myself.. so there's no problem with the cookie passing!

Member Avatar for tolinho

I everyone.
I have a question that is in a way similar to what has been post here.
But I need some advice if possible.

I have a new project in hand with two possible solutions has far has I can figure, and would appreciate your advise on the topic.

I will be needing to manage 20 to 50 domains/websites all with same MYSQL database structure, but different data.

I will also be needing to retrieve all information from all those different domains and putting it all together in ONE large database to be displayed on ONE main domain.

I also have a change to reconstruct those websites so I gess I have two possible solutions.

One solution is each domain has its one database and I cron a script that will import all information from each individual database of every domain to a main database, were all data will be gathered together and displayed on the main domain.

Other solution is maybe eliminating individual databases.
Making all domains share the same large database.
But when visiting a certain domain, only information for that domain will be retrieved from the shared database.

What would be the best solution and how could I achieve this.
Thanks.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.