Here is my code:
setcookie('set_User',$_POST['email'],time()+3600,'/','.mydomain.com');
I also tried the opposite, I mean setting cookie for whole domain from main domain, but in both of cases cookies are only available at where which they are created not other subdomains or the main domain if they are sent from subdomains.
any idea?
Related
Is it possible to setup your two different project on a same domain and same server but different SESSION variables and point to different folders?
One is on maindomain.com (share session variables with subdomains except dashboard.maindomain.com) and one is 'dashboard.maindomain.com'
This implies that session variables must be shared between the primary domain and any subdomain, except dashboard.
Yes, it's possible.
In theory, it should be as easy as just properly configuring different cookie domains, as well as having separate storage (e.g. different file directories, in case you're using file-based sessions).
However, because cookies for example.com would be valid for and sent by clients to all subdomains, make sure to use a different session cookie name for your dashboard. subdomain. That way, it won't attempt to process cookies that weren't intended for it.
In addition, that's a security concern because your dashboard. app will now effectively be able to sniff cookies that are only intended for your main domain and other subdomains.
So, while technically possible, it might not be a good idea to do that.
I currently store cookies on my site at .domain.com, as I have a few subdomains that share the cookies (like authentication). I wanted to setup a test site so I could show some features publicly, so I setup a test.domain.com, which obviously gets the .domain.com cookies, but I'd like it not to. Is there some way for me to set it up so my test site reads only the cookies at .test.domain.com?
The 2 domains mydomain.com and subdomain.mydomain.com can only share cookies if the domain is explicitly named in the Set-Cookie header. Otherwise, the scope of the cookie is restricted to the request host.
For instance, if you sent the following header from subdomain.mydomain.com:
Set-Cookie: name=value
Then the cookie won't be sent for requests to mydomain.com. However if you use the following, it will be usable on both domains:
Set-Cookie: name=value; domain=mydomain.com
In [RFC 2109][1], a domain without a leading dot meant that it could not be used on subdomains, and only a leading dot (.mydomain.com) would allow it to be used across subdomains.
However, modern browsers respect the newer specification [RFC 6265][2], and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.
In summary, if you set a cookie like the second example above from mydomain.com, it would be accessible by subdomain.mydomain.com, and vice versa.
See also: www vs no-www and cookies, this test script
So I have an iframed page of my subdomain in my main domain, and this subdomain page requires user to be logged in and have a membership to be accessed.
Basically I need that the session variables and cookie are passed to the subdomain in order for the iframe to load.
How can I achieve this in Nginx ?
Cookies have a domain attribute, which specifies which domains they will be sent to from the client. For example, in PHP's setcookie function the 5th argument accepts a $domain string to set in the cookie. By default it's left blank which means it will use the domain the request came from when the client receives it.
The domain that the cookie is available to. Setting the domain to 'www.example.com' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.
So if you set your cookie to your main domain the client UA won't have a problem making it available to your sub domain.
Now, iframes are little trickier, however. For example, Internet Explorer can treat iframes differently due its varying privacy policy rules and block all cookies from an iframe. See this question for more details. However, Nginx really shouldn't play anything more than a passive role in all of this.
I added php_value session.cookie_domain .example.com to my .htaccess in order to be able to read PHP cookie from all subdomains, it seems to work however I cannot read the cookie when I am at: 'example.com' (no subdomains).
This is driving me crazy, I'm sure it's a common issue since most people want their users to be logged in both the domain and all subdomains once they are authenticated.
What can I do to be able to write/read php cookie from any domain/subdomain?
There is no dependable way of doing this with session variables. You can either change your root domain to www.example.com or use cookies.
The docs for PHP's setcookie say Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'.
I have two servers: the live server (mydomain.com) and the QA server (qa.mydomain.com). When I set cookies I set the domain as respectively ".mydomain.com" and ".qa.mydomain.com". One of these cookies, called "session_id" is used for authentication and login purposes. It is obvious that a cookie for one domain will not work on the other. However as I am prepending the dot to the domain PHP sometimes reads the ".domain.com" cookie on the QA server with the result that I am not able to login.
Are there ways to have PHP read the correct cookie?
Prepending the dot means it is valid also for all subdomains. So the .mydomain.com cookie is also valid for the qa.mydomain.com.
Now it's not just PHP reading the cookie; but also the browser sending the cookies based on which domain they are valid for.
Since you're in specific talking about the session cookies, you might want to look into using named sessions. For what I can remember, the name of a session is also used in the name of the cookie. Meaning you'd have a different session name for your live and test environment.
Otherwise removing the dot would also do the trick; but I'm guessing you do want it to work for www.mydomain.com, so I don't think it's a solution ;).
See http://se2.php.net/setcookie
The domain that the cookie is available to. To make the cookie available on all subdomains of example.com (including example.com itself) then you'd set it to '.example.com'. Although some browsers will accept cookies without the initial ., » RFC 2109 requires it to be included. Setting the domain to 'www.example.com' or '.www.example.com' will make the cookie only available in the www subdomain.
You say:
It is obvious that a cookie for one domain will not work on the other.
when .mydomain.com should match all subdomains. I would remove the dot.
PHP reads all the cookies sent by the browser. Since every .qa.domain.com host is also a .domain.com host, it's normal to get all the cookies.
You'll need to either change the domain names, or change your PHP code in order to be able to identify the cookies that should be ignored from the ones that shouldn't.
I dont think that it is a PHP issue. The web browser is supposed to send the correct cookie to the appropriate web server. Some browsers may be implemented in such a way that sub-domain cookies are also sent back on main domain request.