strange php session behavior with absolute links

Question

I have observed my php application behaving rather strangely on the server that it is running on. When a user first visits the application, and clicks on a link with an absolute path, the session data is cleared.

I have recreated the problem as simply as possible. The code can be found below.

I have solved this problem by removing all absolute links in my application, I am simply looking for an explanation of this behavior.

To recreate the problem:

1. click 'login'
2. click 'relative link' and observe that the session still has the 'logged_in' variable set
3. click 'absolute link' and observe that the session data appears to be missing
4. click your browser's back button and observe that the session data has returned
5. click 'absolute link' and observe that the session data is missing again
6. click 'home (relative link)' and observe that session data is missing this time
7. click 'login' to reset the session data
8. click 'absolute link' again and observe that the session data was not cleared this time

Some important things to note:

• This is not a problem locally on my mac running MAMP with php 5.3.2, but is a problem on a server with php 5.2.14 and a different server running 5.3.2
• clicking the absolute link, and then the relative home link without login prevents the problem from ever occurring once you do log in.
• once the problem is solved by the method just mentioned, it can only be recreated by navigating to a different domain, clearing your browser's cache and navigating back. Clearing the cache without leaving the page will not work.
• this is also a problem if using a absolute path when redirecting using header('Location: ...')

index.php:

<?php
    session_start();

    print_r($_SESSION);

?>

    <br/><a href="http://www.myserver.org/page.php">Absolute link</a>
    <br/><a href="page.php">Relative link</a>
    <br/><a href="login.php">Log in</a> | <a href="logout.php">Log out (reset session)</a>

page.php:

<?php

    session_start();
    print_r($_SESSION);

?>
    <br/><a href="index.php">Home (relative link)</a>

login.php:

<?php
    session_start();
    $_SESSION['logged_in'] = true;

    header('Location: index.php');

logout.php:

<?php
    session_start();

    $_SESSION = array();
    session_destroy();

    header('Location: index.php');

Answer 1

At least in your example the pages are switching between two domains (rhun.ithaca.edu and www.ithacahealth.org). You'll notice that if you click "Log in" on both domains, then you'll have logged_in=1 in all cases. Anyway, that's the primary cause of the problem - two different domains.

Session cookies does not differ from any other cookies (from a browser's point of view), so they are subject to the same limitations - the relevant one being that you have to be on the same domain. You can change the session cookie settings with session_set_cookie_params() (that has to be done before session_start(), but even so you cannot allow the same cookie to be read from a different domain, only from a subdomain, if you require it.

Also, I don't know if it is relevant, but keeping the webpage on a singe domain/subdomain might help a little with search engine optimization - especially in cases where there is different content between the domains/subdomains, search engines might consider them to be different webpages and split their pagerank between them.