Difference between host and domain when dealing with cookies?

[sorenchr]

Hi there, i have two PHP pages which acts as a login system for visitors to my site.

The first one, index.php, contains a form which sends data to second php page, login.php. But it also registers if a user has "remember me" cookies stored, and automatically redirects the user to login.php for validation of the cookie contents if he/she has any. If the cookie values are not valid, the users cookies are unset, and is redirected back to index.php.

 

So today, i was fumbling around with my site to check for security holes, and i manually added the "remember me" cookies using a firefox plugin. I was let through to login.php, but somehow the cookies were not unset(i filled them with invalid data), and that created a never-ending loop. Now, when adding the cookies in the plugin, i noticed that i added my domain as the host for the cookie, which the server apparently accepted. When i examine some of the other cookies, automatically set by my webserver, i notice that no host is set, just the domain.

 

So i guess my question is, how come my index.php accepts the cookies even though they are not valid?

 

Best regards

Sorenchr

[PFMaBiSmAd]

A cookie with a specific host value set is not invalid, it just means that it will only match (and be sent to the web server) when the URL being requested has that same host in it.

 

If you entered www as the host in the cookie, the cookie will be sent to the server for the URL www.yourdomain.com, but if you just use the URL yourdomain.com, the host portion of the cookie does not match the URL and the cookie won't be sent to the server.

 

The reason you could not delete the cookie is you must provide the same parameters that match the cookie. Also, it is a waste of time (and can be bypassed easily) to unset/delete cookies.

[sorenchr]

Well, i guess my real problem is that i can't unset those cookies, therefore causing the never-ending loop.

Here's a simplified example of my problem:

 

index.php

if(isset($_COOKIE['username']) && isset($_COOKIE['userid'])) {
  header("Location: login/login.php");
  exit;
}

 

login.php

if(isset($_COOKIE['username']) && isset($_COOKIE['userid'])) {
if($database->validateCookies($_COOKIE['username'], $_COOKIE['userid'])) { //This function matches the cookie with the db.
   //Cookies are valid, log user in 
} else {
   //Cookies are invalid, unset cookies and redirect user back.
   setcookie("username", "", time()-3600, COOKIE_PATH, COOKIE_DOMAIN);
   setcookie("userid", "", time()-3600, COOKIE_PATH, COOKIE_DOMAIN);
   //COOKIE_PATH and COOKIE_DOMAIN are both defined in another file.
}
}
?>

 

So the problem is that when the script tries to unset the cookies, they aren't recognized as "my" cookies, however, when checking for $_COOKIE['username'] and $_COOKIE['userid'] the webserver assumes it set them itself.