Cross Server Cookies, PHP

Question

We have 2 web servers, one secure and one normal.

Is it possible to set a cookie like this

setcookie("basket[id]", $newID, time()+60*60*24, "/", SITE_URL, 0, true);  
setcookie("basket[id]", $newID, time()+60*60*24, "/", SECURE_SITE_URL, 1, false);

Where

SITE_URL = www.sitename.com  
SECURE_SITE_URL = xxxxx.securesitename.com

Kyle

Answer 1

You cannot set a cookie for a domain other than the current or a superset of it (like example.com is a superset of foo.example.com and bar.example.com). That means the second Set-Cookie will get rejected by the browser.

One solution is to use a subdomain of your main domain for your secure domain, like secure.example.com. Then a cookie set for .example.com would be available at www.example.com as well as at secure.example.com.

Answer 2

Set Cookie

With setcookie you can set the domain parameter to indicate where the cookie is available. To make the cookie available on all subdomains of example.com then you'd set it to '.example.com'. The . is not required but makes it compatible with more browsers.

As long as your servers are referred to with different sub-domains, you can set your cookies accordingly.

Secure parameter

Secure, indicates that the cookie should only be transmitted over a secure HTTPS connection from the client.

Setting a Cookie on a different domain

A server cannot set a cookie for a domain that it isn't a member of.

The server issuing the cookie must be a member of the domain that it tries to set in the cookie. That is, a server called www.myserver.com cannot set a cookie for the domain www.yourserver.com.

How Double Click do it

One exception to the rule is ad agency Double click. Who manage to add cookies to your PC without you visiting the specific web site by packaging cookies with image requests when they are loaded from their servers onto other peoples web sites.