newbtophp Posted January 25, 2015 Share Posted January 25, 2015 (edited) I have a script where $site (location of where it's hosted) will either be in the format of a subdomain e.g. 'something.domain.com' or a domain 'domain.com', and the cookies are handled like the following: ini_set('session.cookie_domain', $site); //for sessions setcookie($name, $value, $expiry, '/', $site, false, true); //for others My question is the script's canonical url is non-www and I don't want other subdomains for various reasons (including security) being able to access/read the cookies (e.g. 'www.something.domain.com' or 'www.domain.com' or 'somethingelse.domain.com' or 'www.somethingelse.domain.com'), so would you say the above will work okay (providing $site does not proceed with www. or .)? I have searched around (also referred to php.net) and believe the above will be okay from my understanding - but wanted reassurance as I had read many conflicting/confusing information! Edit: If the above won't work - I thought about maybe setting $site to false (the .htaccess code would enforce access only via non-www)? Edited January 25, 2015 by newbtophp Quote Link to comment Share on other sites More sharing options...
ginerjm Posted January 25, 2015 Share Posted January 25, 2015 I think that a simple \ should work. It will represent the root folder of whatever the domain is pointing to, no? Quote Link to comment Share on other sites More sharing options...
newbtophp Posted January 25, 2015 Author Share Posted January 25, 2015 I think that a simple \ should work. It will represent the root folder of whatever the domain is pointing to, no? Hmm...If I understand you correctly - do you mean changing $site to '/' ? - did not know you could do that. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted January 25, 2015 Share Posted January 25, 2015 Why don't you read the manual re: cookies? You do read the manual when you have questions first, don't you? Quote Link to comment Share on other sites More sharing options...
newbtophp Posted January 25, 2015 Author Share Posted January 25, 2015 Why don't you read the manual re: cookies? You do read the manual when you have questions first, don't you? I have as mentioned in my initial post, my follow up question was to clarify your response, are you referring to the fourth parem of setcookie()? Quote Link to comment Share on other sites More sharing options...
ginerjm Posted January 25, 2015 Share Posted January 25, 2015 Yes I am. And I see now how confusing my answer was to you. IF I had bothered to check first I would have said that the \ in the 4th argument would ensure that your cookies would be in the correct place regardless of what domain name was in $site. The cookies will be in the domain root because of the \ although the absolute path of that location will be different depending upon the current $site/domain value. Quote Link to comment Share on other sites More sharing options...
newbtophp Posted January 25, 2015 Author Share Posted January 25, 2015 Yes I am. And I see now how confusing my answer was to you. IF I had bothered to check first I would have said that the \ in the 4th argument would ensure that your cookies would be in the correct place regardless of what domain name was in $site. The cookies will be in the domain root because of the \ although the absolute path of that location will be different depending upon the current $site/domain value. Appreciate you clarifying, however if $site was set to domain.com, would cookies be readable on any other variation such as www.domain.com or somethingelse.domain.com or www.somethingelse.domain.com (which is what I don't want)? Quote Link to comment Share on other sites More sharing options...
ginerjm Posted January 25, 2015 Share Posted January 25, 2015 I'm not sure but I think that www.xyz.com is the same as xyz.com. Somehow. The 'true' subdomains tho are different. Either way if you begin in a specific domain name and set some cookies in the root folder they will be there for any users of said domain. What else could you want? In what world would you need cross-referencing of them between apps running in different domains? Quote Link to comment Share on other sites More sharing options...
newbtophp Posted January 25, 2015 Author Share Posted January 25, 2015 (edited) I'm not sure but I think that www.xyz.com is the same as xyz.com. Somehow. The 'true' subdomains tho are different. Either way if you begin in a specific domain name and set some cookies in the root folder they will be there for any users of said domain. What else could you want? In what world would you need cross-referencing of them between apps running in different domains? I guess cookies being readable on the www. version is really a no issue, the main concern lies with cookies being readable on subdomains - which I don't want (due to security). Edited January 25, 2015 by newbtophp Quote Link to comment Share on other sites More sharing options...
ginerjm Posted January 25, 2015 Share Posted January 25, 2015 From the manual: domain The domain that the cookie is available to. Setting the domain to 'www.example.com' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains. Not sure what this means 'higher subdomains'. I always think of a sub as 'lower'. IIRead this correctly it says that a cookie in www.xyz.com will be available in xyz.com as well. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.