[SOLVED] www.example.com & example.com Difference Session Cookie Woes

[CloudSex13]

Hi, thanks for reading.

 

I have a website, let's call it www.example.com.

 

When www.example.com is accessed, a user can log in to the site and it will set a PHPSESSID session cookie. My session cookie code is:

 

session_start();
session_regenerate_id();
$_SESSION['username'] = $username;
$_SESSION['accountid'] = $accountid;
$_SESSION['loggedin'] = true;
header("Location: main.php");
die();

 

When the cookie is set, the host parameter of the cookie is: www.example.com

 

When a user goes to example.com and logs in, a session cookie is set, but the host parameter of the cookie is: example.com

 

A user can log into www.example.com and example.com with two separate sessions, and this screams insecure.

 

Could anyone suggest a way to only have the session cookie be set for www.example.com?

 

Thanks if so.

[haku]

I personally set all my sites up using my .htaccess to redirect example.com to www.example.com. This will solve your problems. Some people go the other way as well (removing the www by default).

[CloudSex13]

Thanks, dawg.

 

Here's the code I found online if you're using a Linux machine:

 

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.(.*)
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]