Skip to content
{ 2008 04 10 }

Sharing session data across domains with PHP

The problem: Multiple domains hosted on one server needed access to the user’s session data. In my case, various shopping domains were sharing one (SSL-enabled) domain where the users could place their orders.

The solution I found was surprisingly simple: Since these domains were hosted on the same server and used the same session save path, I was wondering if I could simply pass the existing session ID along to the new domain in order to give it access to the corresponding session file. Indeed all it took was a hidden form field containing the session ID and something like “session_id($_POST['SID'])” on top of the first page of the ssl-domain (before session_start()). VoilĂ , the old session ID was also the new one and the ssl-domain could continue working with the session data.

On top of that, if the user returned to the previous domain (anywhere!), his – possibly updated – session data was still available there, too (unless he had somehow deleted the session cookie). If I had opted to actually pass the session data between domains and not just the ID, this “seamless” user experience would’ve been harder to achieve.

Now where’s the catch? Well – obviously – once business takes off and several servers become necessary to handle the load, I’ll be cursing myself for not implementing a databased-based* solution for session management like the one mentioned in recipe 11.4. of the PHP Cookbook.

*“Database-based” sounds really bad, no wonder it’s “database-aware” in the book. Can I call it “databased”? :)

Back to reality, on a managed or shared server there’s always the danger of the admin breaking this simple solution. The obvious candidate for disaster would be the session save path, which has to be the same for all domains (but hopefully different from other client’s paths). A way more obscure modification by my webhost caused some panic this morning: the suhosin.session.cryptdocroot flag was apparently set to “on” and did what it was designed to do, forcing the ssl-domain to start a new session file and thereby overwriting the customers’ shopping carts once they tried to check out.

Posted by Stephan on Thursday, April 10, 2008, at 00:57. Filed under Web development. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog.

{ 3 } Comments

  1. gwaine | January 14, 2010 at 17:49 | Permalink

    Hey, this was a big help to me…thanks so much for posting this!

  2. Jay | September 8, 2011 at 16:00 | Permalink

    I’m glad I found this web page because the other web pages were having you jump through hoops to do the same thing. I did try setting the session_id(my_session_id) before I came to this website, but I didn’t try it before session_start(). That made all the difference. Thanks.

  3. Omar | January 21, 2012 at 19:56 | Permalink

    Can you please post some sample codes?

Post a Comment

Your email is never published nor shared. Required fields are marked *