I am engaged on a WP Multisite set up with the next listing construction:
The positioning on main-domain.com has navigation hyperlinks that open the “ebar.com” and “efoo.com” websites (which do NOT open as ‘ebar.main-domain.com’) in a brand new tab. I am making an attempt to avoid wasting the sessionID from the main-domain to both sessionStorage, localStorage, or a cookie in order that it is obtainable when that tab masses.
The reality is, it doesnt have to be the sessionID. I simply want some browser-specific identifier to maintain classes separate and sessionID was my first thought. I am utilizing it to function a key on a server-side database desk (together with another information) in order that I can question it from the subdomains. The information I am fetching is completed through a jQuery ajax name and makes use of a nonce over https so I believe the chance of session hijacking is minimized. Additionally, it is not sensitve anyway.
Nevertheless, the sessionID, sessionStorage, localStorage, and the $_COOKIES objects are ALL fully regenerated as soon as the brand new tab masses.
I’ve tried the next:
-
Altering the wp-config to this (per this SO submit)
outline('ADMIN_COOKIE_PATH', "https://wordpress.stackexchange.com/"); outline('COOKIE_DOMAIN','.main-domain.com'); outline('COOKIEPATH', ''); outline('SITECOOKIEPATH', ''); outline( 'COOKIEHASH', md5( 'main-domain.com' ) );
Be aware that this submit prompt the COOKIE_DOMAIN be set to false:
outline('COOKIE_DOMAIN', false);
Which is appropriate?
-
In pondering that my subject is my session ID just isn’t being accepted by the subdomains, I
turned to this submit and carried out the next modifications:In .htaccess, I added this line (pondering that it wanted to be set greater than what I
was doing within the above wp-configphp_value session.cookie_domain .main-domain.com
Simply to be thorough, I added the next in my php script simply earlier than I name
session_start()ini_set('session.cookie_domain', '.main-domain.com'); if(!session_id()){ session_start(); }
Be aware that I additionally tried the second most upvoted suggestion (noting the safety warning)
simply to see if I may get one thing working.if(isset($_COOKIE['session_id'])){ session_id($_COOKIE['session_id']); session_start(); } if(!isset($_COOKIE['session_id'])){ setcookie('session_id', session_id(), 0, "https://wordpress.stackexchange.com/", '.yourdomain.instance'); }
however that did not work both.
I really feel like I am both lacking one thing apparent or making an attempt to do one thing that basically should not be executed (opening up an XSS vulnerability, for instance).
So it boils down to 2 questions:
-
What am I lacking to get this working? Is that this even doable, or can I solely protect sessionID (or sessionStorage or localStorage) if the browser does an in-place redirect (versus opening a brand new tab)?
-
If I cannot have the sessionID is there one thing I can generate distinctive to a browser session, however not-unique throughout tabs?