Three ways to implement sessions across subdomains in PHP

When I was making things before, the session was usually stored directly in the database, so that cross-domain issues could be solved, not just cross-subdomain issues. However, the problem I encountered today was that I had to make modifications to other people’s existing things. Since it was just a subdomain, I thought there must be a simple solution. Du Niang found three solutions:

Session is mainly divided into two parts:

One is Session data, which is stored on the server by default tmp file, it exists in the form of a file.

The other is the Session Id that marks the Session data. The Session ID is the file name of the Session file. The Session ID is randomly generated, so it can ensure uniqueness and randomness and ensure the security of the Session. Generally, if the lifetime of the Session is not set, the Session ID is stored in the memory. After closing the browser, the ID is automatically logged out. After re-requesting the page, a new session ID is registered. If the client does not disable cookies, the cookie plays the role of storing the Session ID and Session lifetime when starting the Session session.

Two different domain name websites want to use the same Session, which involves Session cross-domain issues!

By default, each server will generate a SESSIONID for the same client. For example, for the same user browser, the SESSION ID generated by server A is 11111111111, while the SESSION ID generated by server B is 222222. In addition, PHP's SESSION data are stored separately in the file system of this server. If you want to share SESSION data, you must achieve two goals:

One is that the SESSION ID generated by each server for the same client must be the same and can be passed through the same COOKIE, which means that each server must be able to read Take the same COOKIE named PHPSESSID;

The other is that the storage method/location of SESSION data must ensure that each server can access it. To put it simply, these two goals are that multiple servers (A and B servers) share the client's SESSION ID and must also share the server's SESSION data.

There are three solutions:

1. Just make the following settings at the very beginning of the php page (before any output and before session_start())

ini_set('session.cookie_path', '/');
ini_set('session.cookie_domain', '.mydomain.com');
ini_set('session.cookie_lifetime', '1800');

2. In php Set

session.cookie_path = /
session.cookie_domain = .mydomain.com
session.cookie_lifetime = 1800

in .ini

3. Call the function

session_set_cookie_params(1800 , '/', '.mydomain.com');

at the very beginning of the php page (the same condition as 1)

session has Session_id as the only identifier of the session.

To implement Session subdomain, in fact, when accessing two A and B subdomains in the same browser, their sessions are the same.

Since the session is stored on the server side, how can we let the two servers identify that these two requests are issued by one browser?

Cookies are saved on the client. The server usually identifies different clients through cookies. Therefore, you can use cookies to save the Session_id and set the cookie as the parent domain.

For example, when visiting a.sso.com, the session_id is saved in Cookie. When visiting b.sso.com, the session_id is taken out from the cookie, and the session is obtained from a persistence container through the session_id.

For example, when visiting a.sso.com, the session_id is saved in Cookie. When visiting b.sso.com, the session_id is taken out from the cookie, and the session is obtained from a persistence container through the session_id.

In this experiment, PHP is used as the experimental language.

When visiting a.sso.com, the session_id will be saved in the cookie through

session_start();
 $_SESSION['person'] = "SBSBSBS";
 $session_id = session_id();
 setcookie('name',$session_id,time()+3600*24,'/','SSO.com');

.

Since session is an array in PHP, PHP has serialize() function to serialize the array

$session_value = serialize($_SESSION);

and then save $session_value in the database.

When visiting b.sso.com, the session_id is obtained from the cookie, and then the serialized session is obtained from the database according to the session_id

Then the session can be operated to achieve session cross- Subdomains.

Since saving the session in the database, accessing it is a relatively time-consuming operation, so the session can be saved in a cache, such as memcached or redis,

In this way, accessing the session will be faster.

Another advantage of using cache is that usually the session has a certain survival time. If it exists in the database, the survival time of the session needs to be saved. When the session is taken out, it needs to be judged whether it has expired.

Using cache to store sessions allows you to set their survival time during storage, which reduces the process of invalidation judgment after retrieval.

My solution is to add the following code at the entrance:

ini_set('session.cookie_path', '/');
 
 ini_set('session.cookie_domain', '.jb51.net'); //注意jb51.net换成你自己的域名
 
ini_set('session.cookie_lifetime', '1800');

As shown in the picture:

Site 1

Site 2

You can see that the PHPSESSID of the two sites are the same, which of course also solves the problem of cross-subdomain names.

The above are several solutions for implementing cross-subdomains in sessions in PHP. I hope it can help those in need. of everyone.

For more related articles on the three implementation methods of session cross-subdomain in PHP, please pay attention to the PHP Chinese website!