Not sure what is going on but I have been having issues with automatically logging out when "www." is used in the header.
when I log into the site such as www.blahblah.com ..
then my session is working as long as "www." is in the header..
If the header is changed to blahblah.com then the session goes bye bye.
Any tips?
session lost when using www.
-
bowersbros
- Posts: 534
- Joined: Thu May 05, 2011 8:19 pm
Re: session lost when using www.
I don't like to brag, but I wasn't circumcised. I was circumnavigated. 
Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
Re: session lost when using www.
That's something I have never even though about ! Luckily I usually redirect the www. to the non www.
Re: session lost when using www.
I had this issue when I was obsessed with subdomains. :3
I would have the user login to something like 'login.website.net' then redirect them to 'website.net'. I face-palmed so hard when I found out that PHP's $_SESSION only worked with that domain.
For example, 'www' is an extension of 'website.net' (thats why subdomains wont work with http://www.login.website.net, and why 'www' and website.net have to be 2 different domains in 'A' records) therefore, PHP's security pops in and only assigns sessions to that one domain. It would be hectic otherwise.
If you want to have a session for all subdomains on your website, you are not going to get a decent result. I found that the best way (other than just to keep users on one domain) was to use cookies.
An example of a multi-domain cookie:
"$username" is the... Username... Can be accessed like a session: $_COOKIE["Login"]; (if the cookies name was "Login")
"time()+3600" is the expiration time. In this case, 1 hour.
"/" is the directory the cookie will be available on, "/" means ALL directories. "/stuff/" will only be valid on "website.net/stuff/"
"website.net" is the domain that it will be available on. Since this is the root domain, it will be available on higher levels, like "login.website.net". If you wanted to be silly, putting ".net" will make the cookie available on ALL domains that have ".net"
"1" means httponly, A.K.A. if you had http:// instead of https:// then you leave it 1. Otherwise, make it 0.
This is the way I use cookies, so please, if there is anything in-secure about this... be sure to let me know
I would have the user login to something like 'login.website.net' then redirect them to 'website.net'. I face-palmed so hard when I found out that PHP's $_SESSION only worked with that domain.
For example, 'www' is an extension of 'website.net' (thats why subdomains wont work with http://www.login.website.net, and why 'www' and website.net have to be 2 different domains in 'A' records) therefore, PHP's security pops in and only assigns sessions to that one domain. It would be hectic otherwise.
If you want to have a session for all subdomains on your website, you are not going to get a decent result. I found that the best way (other than just to keep users on one domain) was to use cookies.
An example of a multi-domain cookie:
<?php
// Do all the authentication first, then if its correct:
setcookie("Login", $username, time()+3600, "/", "website.net", 1);
?>
"Login" is the cookie name. This should be something complicated (my opinion)"$username" is the... Username... Can be accessed like a session: $_COOKIE["Login"]; (if the cookies name was "Login")
"time()+3600" is the expiration time. In this case, 1 hour.
"/" is the directory the cookie will be available on, "/" means ALL directories. "/stuff/" will only be valid on "website.net/stuff/"
"website.net" is the domain that it will be available on. Since this is the root domain, it will be available on higher levels, like "login.website.net". If you wanted to be silly, putting ".net" will make the cookie available on ALL domains that have ".net"
"1" means httponly, A.K.A. if you had http:// instead of https:// then you leave it 1. Otherwise, make it 0.
This is the way I use cookies, so please, if there is anything in-secure about this... be sure to let me know
Re: session lost when using www.
Or what about just redirecting the domain.com to www.domain.com?
I believe this is recommended for the SEO, correct me if I'm wrong.
you can combine this with the fix as told by Abcedea.
This is how I do it.
I believe this is recommended for the SEO, correct me if I'm wrong.
you can combine this with the fix as told by Abcedea.
This is how I do it.
if (!strstr($_SERVER['HTTP_HOST'], 'www.')) { header ('HTTP/1.1 301 Moved Permanently'); header("Location: http://www.industrialgaming.net".$_SERVER['REQUEST_URI']); exit; }