Login issue between www and without www

Question

I have a login system in my website if i use the url without www and login it is normal but when i change the url of my website by adding www to it the website will show my account as logout. and if i change the url again by removing www it will show my account as login (without login again) my login function is :

    $username = $_POST['username'];

    $password = md5($_POST['password']);

    $users = $GLOBALS['db']->query("SELECT * FROM users WHERE username='$username' AND password='$password'") or $GLOBALS['db']->raise_error(); // Leaving 'raise_error()' blank will create an error message with the SQL
    $users_number = $GLOBALS['db']->num_rows($users);
    if(!empty($users_number))
    {
        while($users_sql = $GLOBALS['db']->fetch_array($users))
        {
            $_SESSION['username'] = $username;
            $_SESSION['id'] = $users_sql['id'];
            $_SESSION['logged_in'] = 'true';
                header('Location:./');
        }
    }
    else
    {
        $error_msg = "Worng combination";
        header('Location:?page=login.php&login_error_msg='.$error_msg); 
    }

I want to know is there any change that i should make to make the www.example.com and example.com see the same login credentials

They are different domains. Choose the one you want, and have the other one redirect to it, so that you avoid the problem entirely. — halfer, Sep 17 '13 at 14:59
try to avoid using MD5 for password encryption. It is considered deprecated. — Justin Wood, Sep 17 '13 at 15:00
@halfer: make your comment an answer. Basel, Halfer is right because cookies (how `$_SESSION` is tied to the user) don't port between domain names (by default, anyway -- best just to redirect from one to the other and run all code from one domain). — PaulProgrammer, Sep 17 '13 at 15:01
you must set session cookie for all subdomains http://stackoverflow.com/questions/644920/allow-php-sessions-to-carry-over-to-subdomains — Alexandr Perfilov, Sep 17 '13 at 15:01
how they are different domains and both of them shows the same website? — Basel, Sep 17 '13 at 15:01
are securing somehow that query? it looks like you're putting $_POST['username'] directly inside it — lelloman, Sep 17 '13 at 15:02
@Basel, Apache is treating them as the same (one is probably an alias of the other inside the vhost) but PHP is seeing them as different. As others have said, you can mark your session cookie as being valid on all sub-domains if you wish. — halfer, Sep 17 '13 at 15:22

score 2 · Accepted Answer · answered Sep 17 '13 at 15:10

http://www.example.com and http://example.com are two different domains. if you want a proper website, please use a 301 redirect in your .htaccess file. My example always redirects user to www.example.com:

<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{HTTP_HOST} !^www\.
    RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

score 1 · Answer 2 · answered Sep 17 '13 at 15:04

Use

void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )

The $domain part should be .your-domain.com the default would be the full domain you entered as URL (either www.your-domain.com or your-domain.com)... With the starting . you tell PHP to work the session cookie around all subdomains. This way, www.your-domain.com, your-domain.com and falafel.your-domain.dom will all share the same session.

See http://www.php.net/manual/en/function.session-set-cookie-params.php for more details.

Login issue between www and without www

2 Answers2