I have a website which is on (myapp.com). Now I created a separate (digitalocean) webhosting (test.myapp.com) for my testing environment.
The issue is that the saved cookies, used by myapp.com, are also being used for my test.myapp.com.
How can I make sure my cookies are only being used by one domain? Is it good practice to do so?
Thank you.
You can specify the domain while creating a cookie. Here it is the fifth parameter. You can find it in the docs as well.
If you use the cookie() helper function:
cookie('my-cookie', 'my-value', 0, null, 'myapp.com');
Make sure that your domain in config/session.php has no . in front of it, this makes the cookie work on all subdomains.
If the value is set to null, set it to the domain name for your website, including the subdomain if applicable.
Related
I need to set the PHPSESSID coockie for just two domains:
www.domain.tld
sub.domain.tld.
Other subdomains should not share the same PHPSESSID.
I can use session_set_cookies_param(), but as far as I can see, this can only set it for one domain or all subdomains.
But in my case, subdomain anothersub.domain.tld should not have this PHPSESSID.
I want this because we have images on a subdomain, and setting the PHPSESSID for all subdomains causes the browser to send the PHPSESSID cookie with the request. This has slight performance issues for static resources and it is recommended to use cookieless domains
This can't be done this way, this is unrelated to PHP. This is how cookies works in general. Only one domain (or a domain with a dot in front) can be set.
You have to use different domain for image hosting.
While as was already explained, this is not technically possible, due to the cookie “syntax”, I think you should be able to work around that, if you simply set a second cookie yourself.
Use session_set_cookies_param to have it set the cookie for www.domain.tld only.
Add your own code after session_start, that sets the “same” cookie again, just for sub.domain.tld this time.
session_name and session_id help your figure out the necessary name and value; if you want, you can also use session_get_cookie_params to match other parameters (like lifetime and maybe path, if the latter makes any sense in the given setup) as well if you like.
Edit: Keep in mind though, that if the session id might change at any other point within your app after session_start, for example if session_regenerate_id is used anywhere, you will of course have to update your second cookie there as well.
I'm having some pretty weird error when I want to set my session cookie.
If I use the following rule:
session_set_cookie_params(0, '/', $_SERVER['HTTP_HOST'], false, true);
//$_SERVER['HTTP_HOST'] resolves into "jscripting.nl"
It will always put a "." in front of the url and it will always make it so that my session_id will become accessable on all my subdomains, which is a problem since I develop on one of my subdomains and the session_id's might be interfering with each other.
Is there something I'm doing wrong or is something wrong with my server setup?
$_SERVER['HTTP_HOST'] does not relate to server setup, it is coming from Host header of the request that a client makes.
If you want to use a server name that is configured on the server side, the way to do it is normally to use $_SERVER['SERVER_NAME'], though in some cases that is affected by host header, too.
Edit: apparently, any value for the domain will be default append a dot, so it will include any subdomains, and the only valid way to have it apply to current domain only is to not set the param or using raw headers to set the cookie. See more on this on subject this thread.
You can make the cookie httponly and still have it work in your case by setting null on the domain name parameter.
If I belong to the no-www camp, cookies I have set in http://example.com would be read by http://sub-domain.example.com,
And regardless of the language I use (perl / asp.net / php / JSP) there is no way I could ever work around this issue because it is a fundamental architecture of HTTP itself, true or false ?
What I'm concerned here is, is there any DNS config that would prevent http://sub-domain.example.com from reading the cookies set in http://example.com ?
I have a domain name http://qweop.com
I have a subdomain at http://sd.qweop.com
Now, the problem is that even though I've not set any cookies on http://sd.qweop.com, when I read the cookies, there are cookies there. They are reading cookies from http://qweop.com.
How do I fix the problem so that the cookies from the main domain would not be read by (a request to) the sub-domain?
I've tried altering the 5th parameter of the php setcookie function but it doesn't seem to do anything. Basically that parameter is like useless. I'm suspecting it's a limitation of the HTTP infrastructure.
DETAILS:
http://qweop.com/set.php (try to use incognito to allow easy cookie removal)
<?php setcookie("testcookie","testvalue",time()+60*60*24*30,"/","qweop.com");?>
cookies set
http://sd.qweop.com/read.php
<?php print_r($_COOKIE); ?>
// No one had set any cookies in http://sd.qweop.com but we can see cookies here! Error!
Answer: Yes
I had better catalog the answer here after 500 hours of google research.
Basically we should always use www if we're planning to use any other sub-domains and we want them cookie-free. This is because there are different browser behaviors with regards to top-level domain cookies.
We can try our best to tell the browser "Hey's set it to just the domain and not to it's sub-domains" but as long as the url is non-www, they won't be nice and behave the way we want them to.
In fact, even if the url is not non-www, they can still do whatever they want to, there is currently no record of any browser that does that (and most likely so too into the future).
I believe you cannot do anything about it. You might try to set the cookie as:
setcookie('some_name', 'some_val', 0, '/', 'yourdomain');
but it will be set to all subdomains of yourdomain even though RFC 2109 says if the cookie is to match the subdomains it should be set with a dot as .yourdomain. All major browsers are sending it to the subdomains. I checked it with IE, FF and Chrome.
Unfortunately, DNS config has absolutely nothing to do with cookies (as long as they belong to the same 2-nd level domain, of course).
You still can have a practical answer if you ask a practical question though.
I was wondering if it's possible to delete a cookie in PHP, meaning re-setting it's time to a time in the past, for a specific subdomain from another subdomain.
For example:
say I am executing the following code on one.myserver.com, which is meant to delete a cookie on two.myserver.com
setcookie("ACOOKIE", 0, time() - 3600, "/", "two.myserver.com");
Currently doing it this way is not working for me. Is there any way I could get something like this to work?
Nope, you can only do that from the other subdomain.
You dont even know that they exist because they will only be sent(by the client browser) while accessing the domain where they were originally meant for.
Not possible. Cookies can only be set and unset from the same fully qualified domain.
I have configured the wildcard DNS of *.mydomain.com and it's all working properly. My question is which of these should I rely on identifying client subdomain requests?
$_SERVER["HTTP_HOST"]
$_SERVER["SERVER_NAME"]
$_SERVER["SCRIPT_URI"]
They all seem to contain the subdomain part I want but after reading this article by Chris: http://shiflett.org/blog/2006/mar/server-name-versus-http-host, I'm lost at sea and there appears to be no safe way to do this?
Any idea on accomplishing this task securely? Which approach would you prefer?
Update: sorry, I meant this post: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
HTTP_HOST comes directly from the HOST header. Apache does not clean it up in any way. Even for non-wildcard setups, your first virtualhost in your config will receive a request for a HOST header that doesn't match any of your configured vhosts, so you have to be careful with it. Treat it like any other user data. Filter it appropriately before using it.
I'd suggest that you get the current page url, then use a regular expression to check. Be sure to ignore things link www, www2, etc.
You can use any but most use HTTP_HOST.
You don't have to worry about 'security' here since you allow a wildcard for your subdomains. You won't be able to stop a user from entering a 'threatening' subdomain and sending a request to your server.
If you want to disallow certain subdomains then you have several options but thats a different question.
$subdomain = explode('.', $_SERVER['HTTP_HOST'], -2);
Returns an array always, and can be empty if there is no sub domain. You should also make sure to notice that this could return www as an array value and that would link to your root domain anyway.
Too much talk of such a little problem.
Everyone says its dangerous but noone bother to write a solution, as simple as
$mydomain='example.com';
$subdomain="";
$matches=array();
$pat='!([a-z0-9_]+)\.'.preg_quote($mydomain).'$!i';
if (preg_match($pat,$_SERVER['HTTP_HOST'],$matches)) $subdomain=$matches[1];