Jump to content

Setting the domain correctly for cookies

newbtophp

By newbtophp
in PHP Coding Help

 Share

Recommended Posts

newbtophp Advanced Member

newbtophp

Posted
Posted (edited)

I have a script where $site (location of where it's hosted) will either be in the format of a subdomain e.g. 'something.domain.com' or a domain 'domain.com', and the cookies are handled like the following:




ini_set('session.cookie_domain', $site); //for sessions


setcookie($name, $value, $expiry, '/', $site, false, true); //for others

My question is the script's canonical url is non-www and I don't want other subdomains for various reasons (including security) being able to access/read the cookies (e.g. 'www.something.domain.com' or 'www.domain.com' or 'somethingelse.domain.com' or 'www.somethingelse.domain.com'), so would you say the above will work okay (providing $site does not proceed with www. or .)?


 


I have searched around (also referred to php.net) and believe the above will be okay from my understanding - but wanted reassurance as I had read many conflicting/confusing information!


 


Edit: If the above won't work - I thought about maybe setting $site to false (the .htaccess code would enforce access only via non-www)?


Edited by newbtophp
Link to comment
Share on other sites
ginerjm Prolific Member

ginerjm

Posted
Posted

Yes I am. And I see now how confusing my answer was to you. IF I had bothered to check first I would have said that the \ in the 4th argument would ensure that your cookies would be in the correct place regardless of what domain name was in $site. The cookies will be in the domain root because of the \ although the absolute path of that location will be different depending upon the current $site/domain value.

Link to comment
Share on other sites
newbtophp Advanced Member

newbtophp

Posted
  • Author
Posted

Yes I am. And I see now how confusing my answer was to you. IF I had bothered to check first I would have said that the \ in the 4th argument would ensure that your cookies would be in the correct place regardless of what domain name was in $site. The cookies will be in the domain root because of the \ although the absolute path of that location will be different depending upon the current $site/domain value.

 

Appreciate you clarifying, however if $site was set to domain.com, would cookies be readable on any other variation such as www.domain.com or somethingelse.domain.com or www.somethingelse.domain.com (which is what I don't want)?

Link to comment
Share on other sites
ginerjm Prolific Member

ginerjm

Posted
Posted

I'm not sure but I think that www.xyz.com is the same as xyz.com. Somehow. The 'true' subdomains tho are different. Either way if you begin in a specific domain name and set some cookies in the root folder they will be there for any users of said domain. What else could you want? In what world would you need cross-referencing of them between apps running in different domains?

Link to comment
Share on other sites
newbtophp Advanced Member

newbtophp

Posted
  • Author
Posted (edited)

I'm not sure but I think that www.xyz.com is the same as xyz.com. Somehow. The 'true' subdomains tho are different. Either way if you begin in a specific domain name and set some cookies in the root folder they will be there for any users of said domain. What else could you want? In what world would you need cross-referencing of them between apps running in different domains?

 

I guess cookies being readable on the www. version is really a no issue, the main concern lies with cookies being readable on subdomains - which I don't want (due to security).

Edited by newbtophp
Link to comment
Share on other sites
ginerjm Prolific Member

ginerjm

Posted
Posted

From the manual:

 

domain

The domain that the cookie is available to. Setting the domain to 'www.example.com' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.

 

Not sure what this means 'higher subdomains'. I always think of a sub as 'lower'. IIRead this correctly it says that a cookie in www.xyz.com will be available in xyz.com as well.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.