I have 3 sites:
In this scenario, if the sites are on the same server, in IE (and only in IE) all the sites have the same php session id. This means that somehow the session is shared between them. I do not want this behavior, I'd like them to have separated sessions.
Can someone provide me any explanation for this and any advice for handling this?
(If I had domains without the aaa part, everything would work well.)
You can change the session name, from the default PHPSESSID to a custom name for each sites. You can do it with session_name:
// change the session name for bbb.aaa.com
session_name('PHPSESSID_bbb_aaa_com');
It will be used that name to create a cookie name, unique for each domain.
Then you can change the domain attribute of the cookie for each domain. You can do it by changing the session.cookie_domain on your php.ini file.
; instead of allows all the subdomain with ".aaa.com", specify them with:
session.cookie_domain = bbb.aaa.com
You can also do it at runtime with session_set_cookie_params.
However, this isn't enough! If the session id is the same, even if you used different session names, the same data will be loaded, if the session informations are stored in a shared folder. To solve this problem, you can change the session.save_path configuration directive to an unique folder for each domain. You can do it at runtime with session_save_path:
session_save_path('/path/to/sess_for_bbb_aaa_com');