Reputation: 99398
PHP: Cookie domain / subdomain control
I'm working on a site with multiple subdomains, some of which should get their own session.
I think I've got it worked out, but have noticed something about cookie handling that I don't understand. I don't see anything in the docs that explains it, so thought I would see if anyone here has some light to shed on the question.
If I just do:
session_start();
I end up with a session cookie like this:
subdomain.example.net
However, if I make any attempt to set the cookie domain myself, either like
ini_set('session.cookie_domain', 'subdomain.example.net');
or like
session_set_cookie_params( 0, "/", "subdomain.example.net", false, false);
I end up with a cookie for .subdomain.example.net (note the opening dot), which I believe means "match all subdomains (or in this case sub-subdomains).
This seems to happen with all my cookies actually, not just session. If I set the cookie domain myself, it automatically has the dot prepended, meaning this domain and all subs of it. If I don't set the domain, then it gets it right by using only the current domain.
Any idea what causes this, and what I can do to control that prepending dot?
Thanks!
Upvotes: 33
Views: 55521
Answers (6)
Reputation: 5341
If you read all of RFC 6265, you'll realize that the only proper way to have a "host-only" cookie is to NOT set the domain attribute.
https://www.rfc-editor.org/rfc/rfc6265#section-5.4
Upvotes: 17
Reputation: 316
I was having a problem to set cookies on wordpress and this helped me, the domain value was the key to get it working in all the pages
$domain = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false;
setcookie("cookie_name", 'cookie_value', 0, '/', $domain);
Upvotes: 0
Reputation: 1028
I realise this is an old question but I was having this problem and none of the answers above quite did it.
I wanted to set the session cookie for a subdomain, but also enable httponly and secure.
To avoid a leading . infront of the subdomain, Kevin and stolsvik are correct don't set the domain attribute.
So to do this and still be able to set httponly and secure mode, set the domain to NULL as follows:
session_set_cookie_params(0, '/', NULL, TRUE, TRUE);
You will now have a session cookie, for a specific subdomain (without a leading .) with httponly and secure set to true.
Upvotes: 12
Reputation: 99
This may help someone (i spent some hours to figure this out). After make the changes in the source files and before you test it, close your browser to properly destroy PHPSESSIONID in all domains and subdomains.
Hope this save some time!
Upvotes: 2
Reputation: 2339
If you run your PHP script under "http://subdomain.example.net", don't use the domain parameter:
setcookie('cookiename','cookievalue',time()+(3600*24),'/');
You will get a cookie with "subdomain.example.net" (and not ".subdomain.example.net")
Upvotes: 22
Reputation: 23989
PHP's cookie functions automatically prefix the $domain with a dot. If you don't want this behavior you could use the header function. For example:
header("Set-Cookie: cookiename=cookievalue; expires=Tue, 06-Jan-2009 23:39:49 GMT; path=/; domain=subdomain.example.net");
Upvotes: 24
Related Questions
- Using same cookie across selective subdomains
- Set session cookies for specific subdomains
- Cookie for subdomain
- Set/Read cookies from subdomain to domain
- Set cookie from main domain for subdomain
- PHP authentication with multiple domains and subdomains
- Apache / PHP Disable Cookies for Subdomain?
- Cookies And Subdomain
- Setting cookies on domain/subdomain
- How can I carry cookies in php to multiple subdomain