Hello!
I've got a web app that runs on 2 domains. If user logs in on one of them, he also gets automatically logged in on the other.
To achieve this I've setup a custom session table in the database and a custom session adapter that makes use of it.
When user is logged in on domain A and then visits the domain B, the domain B receives a login token. By using this token the system has to change his current session ID on domain B to match the domain A.
This function is supposed to achieve this:
public function tokenLogin ($token = '') {
if ($token == '') return FALSE;
// Getting the user's logged-in session through token
$dbSession = DBSession::findFirstByToken($token);
if ($dbSession !== FALSE) {
if (!is_null($dbSession->userId) && $dbSession->user !== FALSE) {
$session = $this->getDI()->getSession();
$session->login = TRUE;
session_write_close();
// Setting current session to match the logged in SSID
$session->setId($dbSession->ssid);
$session->start();
$session->set('auth', TRUE);
$session->set('userId', $dbSession->user->id);
if ($dbSession->user->isAdmin) $session->set('isAdmin', TRUE);
// Make a new token
$session->set('token', md5(\Phalcon\Text::random(\Phalcon\Text::RANDOM_ALNUM, 10) . $user->email . $_SERVER['REMOTE_ADDR'] . date('YmdHis')));
// Update login data.
$dbSession->user->lastLoginDate = date('Y-m-d H:i:s');
$dbSession->user->lastLoginIP = $_SERVER['REMOTE_ADDR'];
return $dbSession->user->save();
}
}
return FALSE;
}However, with the code above the new SSID is used only from line $session->setId($dbSession->ssid); and until the code execution ends. The previous SSID somehow pops up again in all further executions.
I’ve also found out how to make it work. I have to replace $session->setId($dbSession->ssid); with session_id($dbSession->ssid); and $session->start(); with session_start();.
So my question is: What is wrong with the $session->setId() and $session->start() functions? Why won’t the SSID persist if I use them but will if I use native PHP functions?
