I have a weird problem with PHP session shared across subdomains. I’ll try to be as clear as possible.
I have subdomainA and subdomainB, both share the same session. Both have a front end and a back end. I have a JS test function that does a POST to its respective PHP back-end, so I can check the session variables on each back-end.
This is how the session is started on both subdomains
if(session_status() !== PHP_SESSION_ACTIVE){
session_set_cookie_params(0, '/', '.domain.local');
session_name('mysession');
session_start();
}
When I load either subdomain, each will check if a session variable is present, if not, it will set it (the value is different per subdomain)
if(!isset( $_SESSION['test'] )){
$_SESSION['test'] = 'I was born on subdomainA';
}
or
if(!isset( $_SESSION['test'] )){
$_SESSION['test'] = 'I was born on subdomainB';
}
Say I visit subdomainB then open a new tab and visit subdomainA, then use my test function, each return the proper session value (the same) from their respective backend. So far so good.
Now, subdomainB can change the session variable value later on by a POST action from its front-end, which triggers a CURL request from its backend to a 3rd-Party and the result of that call updates the value of the session variable.
To make sure CURL does not mess with the session, I do
session_write_close();
[CURL]
session_start();
$_SESSION['test'] = 'I was set by 3rd party';
Then I can call my JS test function from each-front after that, and I get the updated value pulled from the session variable from both subdomainA and B. Everything works, I get
'I was set by 3rd party'
Now the weird part. Everything works fine until subdomainB changes the value a 2nd time via CURL. If, after, that, I pull the value from the JS function from subdomainA or B, the value in the session is good BUT if I reload subdomainA, then the whole session is empty (but has the same ID).
If I reload subdomainA before subdomainB changes it a 2nd time, it all works fine. It happens after subdomainB does the CURL call for the 2nd time.
Please note that it all works fine as long as I don’t refresh a page, meaning that the 2nd time the CURL calls goes through, and use my JS function, I still get the proper latest updated value and as long as I don’t reload, from both subdomains.
For some reason, reloading subdomainA after the 2nd CURL call wipes the session data.
Any idea?
Edit : my apache error log reports
* old SSL session ID is stale, removing
How do I fix that?