Why does the session id change when requesting through ajax in php?

Every point of entry or call to the server (APIs) needs to have session_start() at the beginning. If it does not read in the session identifier, it will act as if there wasn't one and then return a new session identifier. When your browser gets the response, it will overwrite the session identifier with the new one. Make sure that you have session_start() at the top of all places where you make a call to the server so that it knows what session to use.

There's actually not enough information to definitively answer this question. However, here's what we can tell based on this information.

If you're using the standard PHP session handler the session cookie will have a domain associated with it (which if not configured in php.ini or in your code will likely just be the domain the script was first called from). So for example, if you call a script that invokes session_start() from the domain www.stackoverflow.com and another script on chat.stackoverflow.com starts a session it will not have access to the cookie with the domain www.stackoverflow.com and thus will begin a new session.

Domains in the cookie header can bubble up, but not down. So if you want your session cookie to have access to all subdomains of Banana.com you must be sure to set the domain parameter correctly in each session initialization request with that domain.

See session_set_cookie_params and session_get_cookie_params for more details...

The domain that the cookie is available to. Setting the domain to 'www.example.com' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.

Additionally, you should note that cookies sent with the secure or http_only parameter set to true will not be readable over insecure or JavaScript initiated connections such as in the case of Ajax.

The reasons why you would get a new session ID are

• You cleared the session ID cookie (typically named PHPSESSID)
• You visited a page that called session_regenerate_id() (unlikely)
• Your session hit the max lifetime and was garbage collected. This is a distinct possibility if banana.com has a lot of visitors, because garbage is collected randomly when PHP is invoked
• session_id() was invoked with a different session

So what to do?

• Check out the session files on the server. They're simple text so you can open them and see what's inside. Make sure your session exists.
• Check php.ini for a short session lifetime.
• Load sessions into something else and see if continues. Using a MySQL/memcached system with a custom session handler could reveal issues.