session_regenerate_id（）在IE11 / Edge中不起作用

I have standard authentication situation... Visitor fills login+password to form, php script authenticates it in database a redirects back to some page.

In this process, we just add session_regenerate_id(true) when the customer is successfully authenticated just before the redirect. Everything works fine in Chrome, but it doesn't work in some versions (not all) of IE11 and latest version of Edge (tried in virtual box - download from modern.ie). Maybe it doesn't work in some other browsers.

How does it work in Chrome:

client load page with login form - he has session id AAA
client sends the form - the request has session id AAA
client is being authenticated - session_regenerate_id(true) called
response has Set-cookie and session id BBB (+Location: YYY)
browser makes request to YYY with session id BBB
response doesn't have set-cookie, so session id is BBB
client is authenticated

How does it work in IE11/Edge:

client load page with login form - he has session id AAA
client sends the form - the request has session id AAA
client is being authenticated - session_regenerate_id(true) called
response has Set-cookie and session id BBB (+Location: YYY)
browser makes request to YYY with session id AAA
response doesn't have set-cookie, so session id is AAA
client is NOT authenticated

Problem is, that the session AAA is removed when regenerating session id, so the client can't be authenticated.

It even doesn't work when there is no Location header and just shows static page with link to other page.

It looks, like the browser is ignoring Set-cookie.

When I remove session_regenerate_id(), it "works", bud it's less secure.

I answer my question myself... The problem is, that Set-cookie header doesnt contain domain.

Example: www.site.com

Chrome: works ok, gets domain from current url (www.site.com) Edge: don't know how, but new session id saves to domain site.com

Solution: use session_set_cookie_params() to set domain to ".site.com" (all subdomains).