Reputation: 75
Session.cookie_domain in php.ini
I have been reading as much as possible about the php.ini file and i have found nothing about whether or not its bad/dangerous to not set the session.cookie_domain in the php.ini.
We are in a production environment and this is not set.
Are there security issues with not setting this. Cookies appear to be working well, no real issues.
The php.ini file looks like this:
session.cookie_domain =
Upvotes: 6
Views: 24890
Answers (1)
Reputation: 4642
Original answer (Edited to remove incorrect parts)
I disagree with the accepted answer. I think session.cookie_domain is not a configuration directive that allow you to restrict subdomains but to allow subdomains. If you read PHP manual, it says if the value of the directive is not defined (none, default value) then the host name of the machine that generated the cookie is used as cookie domain.
session.cookie_domain specifies the domain to set in the session cookie. Default is none at all meaning the host name of the server which generated the cookie according to cookies specification. See also session_get_cookie_params() and session_set_cookie_params().
Also, by default, PHP is configured so that sessions are unique to a domain.
If you don't specify one but if the domain of the server is example.org, your cookies will be valid only for example.org domain, and invalid for any sub-domain like app.example.org or any other domain like corp.com.
The goal of session.cookie_domain is to actually allow the usage of sub-domains, so if you set session.cookie_domain = "example.org" it will act as a wildcard and accept any sub-domains.
So setting a wildcard session.cookie_domain = "example.org" is way more open to attacks than not setting it.
Updated answer
By reading Set-Cookie - MDN and Using HTTP cookies - HTTP - MDN, it seems that PHP behavior is deprecated.
Domain=<domain-value>Defines the host to which the cookie will be sent.
If omitted, this attribute defaults to the host of the current document URL, not including subdomains.
Contrary to earlier specifications, leading dots in domain names (.example.com) are ignored.
Multiple host/domain values are not allowed, but if a domain is specified, then subdomains are always included.
Also
The Domain attribute specifies which hosts can receive a cookie. If unspecified, the attribute defaults to the same host that set the cookie, excluding subdomains. If Domain is specified, then subdomains are always included. Therefore, specifying Domain is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.
For example, if you set Domain=mozilla.org, cookies are available on subdomains like developer.mozilla.org.
It seems that current behavior is to ignore leading dot and to implicitly allow all subdomains when you specify a domain. So in fact, the final answer is that using Domain is less secure that not using it. So the reality is exactly the opposite of the accepted answer.
Upvotes: 0
Related Questions
- Is session.cookie_secure in php.ini automatic?
- PHP 8.0 PHP.ini syntax for session_set_cookie_params
- php.ini session.cookie_domain - what to put?
- more than 1 session.cookie_domain in php.ini
- PHP sessions in redis ignores session.cookie_domain configuration
- PHP / Apache how to set session.cookie_domain from outside php.ini
- php.ini set session cookie secure
- PHP Multi-Domain Sessions; ini_set Not Working?
- Proper use of session_start() with session.cookie_domain
- session.cookie_domain in php.ini - issues with POSTing forms