I have discovered that the session cookie set by Elgg at login can only be read by the subdomain where it was created. I am using Elgg 1.8.3
If I go to www.mydomain.com/elggdir/ and log in, then change the URL in my browser to just mydomain.com/elggdir/ it doesn't see me as logged in.
Additionally, a separate microsite will be tightly linked to my Elgg installation, and it lives at myproject.mydomain.com so it also can't see the Elgg cookie.
I tried creating a new php.ini file in the Elgg root directory with this line:
session.cookie_domain=.mydomain.org
, and logged in. My browser's cookie library showed that Elgg did properly set the cookie to be owned by .mydomain.com instead of mydomain.com as previously.
However, login now fails totally. When I try to log in, Elgg shows a red bar in the upper right corner saying 'you have to be logged in to see this file.' I had to disable my php.ini file to get my site back.
My research has only turned up one good discussion about cross-subdomain Elgg sessions. Can anyone provide input on this?
Thank you for your time.
Paul
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Steve Clay@steve_clay
Steve Clay - 0 likes
- Paul in Boise@PaulInBoise
Paul in Boise - 0 likes
- Steve Clay@steve_clay
Steve Clay - 0 likes
- Steve Clay@steve_clay
Steve Clay - 0 likes
- Paul in Boise@PaulInBoise
Paul in Boise - 0 likes
You must log in to post replies.Hmm, I would've suggested the session.cookie_domain change, too. You're sure you've deleted all your cookies before trying again?
As far as I can tell, yes. I tried in several browsers. Here are the results:
with the .mydomain.com php.ini in place:
PC:
IE8:
www: logs in, routes to http://mydomain
no sub: logs in.
Chrome 16:
www: routes to http://mydomain, reloads login screen
no sub: reloads login screen
Opera 11.61:
www: logs in, routes to http://mydomain
no sub: logs in.
Firefox 9.0.1
www: routes to http://mydomain, reloads login screen
no sub:reloads login screen
Mac
Firefox 9.0.1
www: routes to http://mydomain, reloads login screen
no sub: reloads login
one time, it logged me in, maybe due to some inconsistent cookie deletion?
Safari 5.1.2
www: routes to http://mydomain, reloads login screen
no sub: reloads login
Opera
www: routes to http://mydomain, logs in successfully.
no sub: logs in
Opera works on both PC and Mac, and IE8 works on the PC. I wonder if those handle cookies differently?
Update: I disabled the php.ini file again, deleted cookies in Firefox on both PC and Mac. Then I tried logging into Elgg, and got in, no problem, on both machines.
You should try setting session.cookie_domain in your config file:
ini_set('session.cookie_domain', '.mydomain.com');
My hunch is that your host (like Site5.com) requires PHP settings to be set in a php.ini file in every directory where PHP scripts are called by Apache. Setting in engine/settings.php makes this this is always set.
Steve, Thank you for sticking with me on this. I tried placing the ini_set line in engine/settings.php, and got the same behavior as when I tried setting the subdomain access in the .htaccess file. Can't log in in Firefox, but can in IE. I disabled the ini_set line, and now can log in with Firefox.
I have been considering multiple aspects of this project over the weekend and have decided to simply move my Elgg installation into the same subdomain as the current project that will use it. That should clear up this problem and other issues I have been working on.
Paul