Reputation: 15374
How to change session cookie domain for existing users
My PHP web app currently has its session cookie domain set to example.com. I'd like to change it to .example.com. For new visitors, ini_set('session.cookie_domain', '.example.com') works. For visitors who already have the PHPSESSID cookie before this change is made, the domain remains at the old value. How can I change the domain on the session cookie without asking current users to delete their cookies?
- I can't use JavaScript to update the cookie because it's HTTPOnly for security reasons.
- Deleting the sessions on the server doesn't reset the whole cookie, it only updates the cookie value (keeping the domain the same).
- Modern browsers preserve the session across restarts, so even though the cookie is set to expire at the end of the browser session, the browser session effectively never ends.
The only possibility I can come up with is to set the cookie to expire in the past and then redirect to get a new cookie. But I can't know which visitors have the cookie domain set incorrectly.
Upvotes: 5
Views: 4738
Answers (1)
Reputation: 70913
Set a new session_name() before you start the session. That way the name of the cookie changes, and any old cookie will be ignored. Only new cookies will be sent out and work for the session.
Upvotes: 3
Related Questions
- PHP setcookie domain
- How to change the PHPSESSID cookie domain?
- How to set a cookie for a domain in PHP?
- How to change PHPSESSID cookie domain name in Wordpress?
- PHP / Apache how to set session.cookie_domain from outside php.ini
- how to change cookie to session?
- How to set Cookie one host to another host
- How to overwrite existing Cookie with new value in PHP?
- Replacing Session with Cookie
- Changed cookie domain, but old cookie is still used