php session_set_cookie_params() for two domains

Question

I need to set the PHPSESSID coockie for just two domains:

• www.domain.tld
• sub.domain.tld.

Other subdomains should not share the same PHPSESSID.

I can use session_set_cookies_param(), but as far as I can see, this can only set it for one domain or all subdomains.

But in my case, subdomain anothersub.domain.tld should not have this PHPSESSID.

I want this because we have images on a subdomain, and setting the PHPSESSID for all subdomains causes the browser to send the PHPSESSID cookie with the request. This has slight performance issues for static resources and it is recommended to use cookieless domains

Answer 1

While as was already explained, this is not technically possible, due to the cookie “syntax”, I think you should be able to work around that, if you simply set a second cookie yourself.

• Use session_set_cookies_param to have it set the cookie for www.domain.tld only.

• Add your own code after session_start, that sets the “same” cookie again, just for sub.domain.tld this time.

session_name and session_id help your figure out the necessary name and value; if you want, you can also use session_get_cookie_params to match other parameters (like lifetime and maybe path, if the latter makes any sense in the given setup) as well if you like.

---

Edit: Keep in mind though, that if the session id might change at any other point within your app after session_start, for example if session_regenerate_id is used anywhere, you will of course have to update your second cookie there as well.

Answer 2

This can't be done this way, this is unrelated to PHP. This is how cookies works in general. Only one domain (or a domain with a dot in front) can be set.

You have to use different domain for image hosting.