I had this issue when I was obsessed with subdomains. :3
I would have the user login to something like 'login.website.net' then redirect them to 'website.net'. I face-palmed so hard when I found out that PHP's $_SESSION only worked with that domain.
For example, 'www' is an extension of 'website.net' (thats why subdomains wont work with http://www.login.website.net, and why 'www' and website.net have to be 2 different domains in 'A' records) therefore, PHP's security pops in and only assigns sessions to that one domain. It would be hectic otherwise.
If you want to have a session for all subdomains on your website, you are not going to get a decent result. I found that the best way (other than just to keep users on one domain) was to use cookies.
An example of a multi-domain cookie:
<?php
// Do all the authentication first, then if its correct:
setcookie("Login", $username, time()+3600, "/", "website.net", 1);
?>
"Login" is the cookie name. This should be something complicated (my opinion)
"$username" is the... Username... Can be accessed like a session: $_COOKIE["Login"]; (if the cookies name was "Login")
"time()+3600" is the expiration time. In this case, 1 hour.
"/" is the directory the cookie will be available on, "/" means ALL directories. "/stuff/" will only be valid on "website.net/stuff/"
"website.net" is the domain that it will be available on. Since this is the root domain, it will be available on higher levels, like "login.website.net". If you wanted to be silly, putting ".net" will make the cookie available on ALL domains that have ".net"
"1" means httponly, A.K.A. if you had http:// instead of https:// then you leave it 1. Otherwise, make it 0.
This is the way I use cookies, so please, if there is anything in-secure about this... be sure to let me know
