Setting the domain correctly for cookies

[newbtophp]

I have a script where $site (location of where it's hosted) will either be in the format of a subdomain e.g. 'something.domain.com' or a domain 'domain.com', and the cookies are handled like the following:

ini_set('session.cookie_domain', $site); //for sessions


setcookie($name, $value, $expiry, '/', $site, false, true); //for others

My question is the script's canonical url is non-www and I don't want other subdomains for various reasons (including security) being able to access/read the cookies (e.g. 'www.something.domain.com' or 'www.domain.com' or 'somethingelse.domain.com' or 'www.somethingelse.domain.com'), so would you say the above will work okay (providing $site does not proceed with www. or .)?

 

I have searched around (also referred to php.net) and believe the above will be okay from my understanding - but wanted reassurance as I had read many conflicting/confusing information!

 

Edit: If the above won't work - I thought about maybe setting $site to false (the .htaccess code would enforce access only via non-www)?

[ginerjm]

I think that a simple \ should work. It will represent the root folder of whatever the domain is pointing to, no?

[newbtophp]

I think that a simple \ should work. It will represent the root folder of whatever the domain is pointing to, no?

 

Hmm...If I understand you correctly - do you mean changing $site to '/' ? - did not know you could do that.

[ginerjm]

Why don't you read the manual re: cookies? You do read the manual when you have questions first, don't you?

[newbtophp]

Why don't you read the manual re: cookies? You do read the manual when you have questions first, don't you?

 

I have as mentioned in my initial post, my follow up question was to clarify your response, are you referring to the fourth parem of setcookie()?

[ginerjm]

Yes I am. And I see now how confusing my answer was to you. IF I had bothered to check first I would have said that the \ in the 4th argument would ensure that your cookies would be in the correct place regardless of what domain name was in $site. The cookies will be in the domain root because of the \ although the absolute path of that location will be different depending upon the current $site/domain value.

[newbtophp]

Yes I am. And I see now how confusing my answer was to you. IF I had bothered to check first I would have said that the \ in the 4th argument would ensure that your cookies would be in the correct place regardless of what domain name was in $site. The cookies will be in the domain root because of the \ although the absolute path of that location will be different depending upon the current $site/domain value.

 

Appreciate you clarifying, however if $site was set to domain.com, would cookies be readable on any other variation such as www.domain.com or somethingelse.domain.com or www.somethingelse.domain.com (which is what I don't want)?

[ginerjm]

I'm not sure but I think that www.xyz.com is the same as xyz.com. Somehow. The 'true' subdomains tho are different. Either way if you begin in a specific domain name and set some cookies in the root folder they will be there for any users of said domain. What else could you want? In what world would you need cross-referencing of them between apps running in different domains?

[newbtophp]

I'm not sure but I think that www.xyz.com is the same as xyz.com. Somehow. The 'true' subdomains tho are different. Either way if you begin in a specific domain name and set some cookies in the root folder they will be there for any users of said domain. What else could you want? In what world would you need cross-referencing of them between apps running in different domains?

 

I guess cookies being readable on the www. version is really a no issue, the main concern lies with cookies being readable on subdomains - which I don't want (due to security).

[ginerjm]

From the manual:

 

domain

The domain that the cookie is available to. Setting the domain to 'www.example.com' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.

 

Not sure what this means 'higher subdomains'. I always think of a sub as 'lower'. IIRead this correctly it says that a cookie in www.xyz.com will be available in xyz.com as well.