Site structure and sessions

I am contemplating the structure for a new site. I would like to
organize the site with sub domains as in

domain.com
subdomain1.domain.com
subdomain2.domain.com
subdomain3.domain.com

I understand that sessions are not passed from domain to domain or
domain to subdomain. I did some searching and found out a few things.
There doesn't seem to be much on the subject.

There is a setting in php.ini called session.cookie_domain. It is
normally left set to "". However, you can set it to your domain and php
will use that domain to store all sessions. This allows you to use
sessions across domains.

This is fine if your domains are the only domains using php on the
server. I happen to use an ISP so changing the ISPs php.ini file is not
an option for me.

I can use ini_set() and temporarily modify the value of
session.cookie_domain for the life of the script as in:

ini_set("session.cookie_domain", ".domain.com");

The . before domain.com is needed so that it is available to subdomains
as well. This line needs to be called before session_start().

I could put this in an include file and call it from each page that uses
a session.

I also read that ini_set() can be used in an .htaccess in the root
directory of each domain, subdomain and directory where pages may use
sessions. It would look something like:

php_value session.cookie_domain .domain.com

Setting the value in an .htaccess would be a lot easier than including
ini_set("session.cookie_domain", ".domain.com");
on each page that uses sessions.

I have not tested any of these options as I am now gathering info in
order to make a decision. I would appreciate any feedback on organizing
the site, using subdomains, and passing session values from domain to
domain. Is this more trouble than it is worth? Should I just use
directories to organize the site?

Thanks in advance,
Blaine

* Thus wrote Blaine (blainechase@netscape.net):
>
> I also read that ini_set() can be used in an .htaccess in the root
> directory of each domain, subdomain and directory where pages may use
> sessions. It would look something like:
>
> php_value session.cookie_domain .domain.com
>
> Setting the value in an .htaccess would be a lot easier than including
> ini_set("session.cookie_domain", ".domain.com");
> on each page that uses sessions.

Yes, this is a wiser choice vs. setting it system wide.

You do have another alternative which would be to use the 5th
argument in set cookie:

bool setcookie ( string name [, string value [, int expire [,
string path [, string domain [, int secure]]]]])

>
> I have not tested any of these options as I am now gathering info in
> order to make a decision. I would appreciate any feedback on organizing
> the site, using subdomains, and passing session values from domain to
> domain. Is this more trouble than it is worth? Should I just use
> directories to organize the site?

In general allowing subdomains (.yourdomain.com) is safe. But as a
hosting company you might perhaps allow that cookie to be modified
by other people if say you set up a simple hosting site for a user:

user.yourdomain.com/
or
yourdomain.com/~user/

But from what it looks like you arn't planing on using that
methodology, for users.

I tend to stay away from directories and use subdomains to
distinguish between different aspects of the site as per some
examples:

domain.com main web pages for domain
www.domain.com main web pages for domain
dbadmin.domain.com Database interface
logs.domain.com View my logs.


Now going back to your cookie issue, you really dont want dbadmin
and logs to be using the same cookie namespace. The only namespace
you would want to share would be the www.domain.com and domain.com,
because they are pointing to the same place.

You could also opt out of using the cookie method of passing
session id around and use the php SID query paramater. But you
then have to be careful at which domains you going to pass your SID
too. On the other hand you have more control and it is expected to
work even if the user refuses your cookies.

HTH,

Curt
--
"I used to think I was indecisive, but now I'm not so sure."