English
English
In modern web development, especially with frontend-backend separation, cross-domain requests have become common. However, due to browser same-origin policy restrictions, sessions cannot be shared across different domains by default. This often results in user login states being lost between domains. To solve this, we can use techniques such as cookies or tokens to enable cross-domain session sharing.
Cookies can be used to transfer session information between domains under certain configurations, making them a popular approach for session sharing. Here's how to implement it:
First, create a session on the server:
session_start();
$_SESSION['user'] = 'example';Next, write the session ID to a cookie and set its domain scope:
setcookie(session_name(), session_id(), time() + 60*60*24*30, '/', 'www.example.com', false, true);Replace www.example.com with your actual domain name.
Then, include cookies when making cross-domain requests from the client:
fetch('http://www.example.com/api', {
credentials: 'include',
});The credentials: 'include' option ensures that cookies are sent along with the request.
Finally, on the server side, parse the cookie and restore the session:
session_id($_COOKIE[session_name()]);
session_start();
if(isset($_SESSION['user'])){
// session sharing successful
}else{
// session sharing failed
}With these configurations, session data can be successfully shared across domains.
Another flexible solution is using a token-based approach. Unlike cookies, tokens work independently of browser policies, making them suitable for APIs and mobile clients.
Here’s how to implement it:
First, generate a token when the user logs in:
$token = bin2hex(random_bytes(16));
// Store token in the database and associate it with the user
// Return the token to the clientNext, store the token on the client side using localStorage or sessionStorage.
When sending cross-domain requests, include the token in the headers or as a request parameter:
fetch('http://api.example.com/userinfo', {
headers: {
'Authorization': 'Bearer ' + localStorage.getItem('token')
}
});On the server side, validate the token and restore the user session based on the verification result.
To maintain security, ensure tokens have expiration times and implement token refresh mechanisms. The server should also periodically clean up expired tokens.
This article presented two common methods for solving PHP session cross-domain issues: using cookies for session sharing and using tokens for identity management. The cookie-based approach is simple and suitable for subdomain sharing, while the token-based method offers better flexibility and security for distributed or multi-platform systems. Choose the approach that best fits your project’s architecture and security requirements.
