Debian PHP Session Sharing Stopped Working
Thursday, 2009-08-27 15:27, 1251386831 seconds since Unix epoch
The preferred method of sharing sessions between (sub)domains has always been the session.cookie_domain PHP setting. For example, if I want to keep my blog’s session in the photography pages, I simply set PHP’s session.cookie_domain to ".jrrzz.net".
But all of a sudden, all of this stopped working. Visiting one of the domains while having an active session on another destroyed all active sessions all together. After searching through the docs and several angry users later, I’ve found the culprit.
The suhosin security patch encrypts the session data using the DocumentRoot string. Since this usually varies between sub domains, you’ll have to disable this in suhosin’s own configuration file. Simply set the PHP directive suhosin.session.cryptdocroot to off.
