So I have an iframed page of my subdomain in my main domain, and this subdomain page requires user to be logged in and have a membership to be accessed.
Basically I need that the session variables and cookie are passed to the subdomain in order for the iframe to load.
How can I achieve this in Nginx ?
Cookies have a domain attribute, which specifies which domains they will be sent to from the client. For example, in PHP's setcookie function the 5th argument accepts a $domain string to set in the cookie. By default it's left blank which means it will use the domain the request came from when the client receives it.
The domain that the cookie is available to. Setting the domain to 'www.example.com' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.
So if you set your cookie to your main domain the client UA won't have a problem making it available to your sub domain.
Now, iframes are little trickier, however. For example, Internet Explorer can treat iframes differently due its varying privacy policy rules and block all cookies from an iframe. See this question for more details. However, Nginx really shouldn't play anything more than a passive role in all of this.
Related
I currently store cookies on my site at .domain.com, as I have a few subdomains that share the cookies (like authentication). I wanted to setup a test site so I could show some features publicly, so I setup a test.domain.com, which obviously gets the .domain.com cookies, but I'd like it not to. Is there some way for me to set it up so my test site reads only the cookies at .test.domain.com?
The 2 domains mydomain.com and subdomain.mydomain.com can only share cookies if the domain is explicitly named in the Set-Cookie header. Otherwise, the scope of the cookie is restricted to the request host.
For instance, if you sent the following header from subdomain.mydomain.com:
Set-Cookie: name=value
Then the cookie won't be sent for requests to mydomain.com. However if you use the following, it will be usable on both domains:
Set-Cookie: name=value; domain=mydomain.com
In [RFC 2109][1], a domain without a leading dot meant that it could not be used on subdomains, and only a leading dot (.mydomain.com) would allow it to be used across subdomains.
However, modern browsers respect the newer specification [RFC 6265][2], and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.
In summary, if you set a cookie like the second example above from mydomain.com, it would be accessible by subdomain.mydomain.com, and vice versa.
See also: www vs no-www and cookies, this test script
Here is my code:
setcookie('set_User',$_POST['email'],time()+3600,'/','.mydomain.com');
I also tried the opposite, I mean setting cookie for whole domain from main domain, but in both of cases cookies are only available at where which they are created not other subdomains or the main domain if they are sent from subdomains.
any idea?
I added php_value session.cookie_domain .example.com to my .htaccess in order to be able to read PHP cookie from all subdomains, it seems to work however I cannot read the cookie when I am at: 'example.com' (no subdomains).
This is driving me crazy, I'm sure it's a common issue since most people want their users to be logged in both the domain and all subdomains once they are authenticated.
What can I do to be able to write/read php cookie from any domain/subdomain?
There is no dependable way of doing this with session variables. You can either change your root domain to www.example.com or use cookies.
The docs for PHP's setcookie say Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'.
I have two servers: the live server (mydomain.com) and the QA server (qa.mydomain.com). When I set cookies I set the domain as respectively ".mydomain.com" and ".qa.mydomain.com". One of these cookies, called "session_id" is used for authentication and login purposes. It is obvious that a cookie for one domain will not work on the other. However as I am prepending the dot to the domain PHP sometimes reads the ".domain.com" cookie on the QA server with the result that I am not able to login.
Are there ways to have PHP read the correct cookie?
Prepending the dot means it is valid also for all subdomains. So the .mydomain.com cookie is also valid for the qa.mydomain.com.
Now it's not just PHP reading the cookie; but also the browser sending the cookies based on which domain they are valid for.
Since you're in specific talking about the session cookies, you might want to look into using named sessions. For what I can remember, the name of a session is also used in the name of the cookie. Meaning you'd have a different session name for your live and test environment.
Otherwise removing the dot would also do the trick; but I'm guessing you do want it to work for www.mydomain.com, so I don't think it's a solution ;).
See http://se2.php.net/setcookie
The domain that the cookie is available to. To make the cookie available on all subdomains of example.com (including example.com itself) then you'd set it to '.example.com'. Although some browsers will accept cookies without the initial ., » RFC 2109 requires it to be included. Setting the domain to 'www.example.com' or '.www.example.com' will make the cookie only available in the www subdomain.
You say:
It is obvious that a cookie for one domain will not work on the other.
when .mydomain.com should match all subdomains. I would remove the dot.
PHP reads all the cookies sent by the browser. Since every .qa.domain.com host is also a .domain.com host, it's normal to get all the cookies.
You'll need to either change the domain names, or change your PHP code in order to be able to identify the cookies that should be ignored from the ones that shouldn't.
I dont think that it is a PHP issue. The web browser is supposed to send the correct cookie to the appropriate web server. Some browsers may be implemented in such a way that sub-domain cookies are also sent back on main domain request.
In the application I'm writing using a combination of development environments and languages, I have need of accessing a cookie from two different subdomains, each on a separate host.
The cookie is being set on www.mydomain.com using the PHP code that follows, and I'm attempting to access it from distant.mydomain.com on a separate host.
setcookie('token', base64_encode(serialize($token)), time()+10800, '/', '.mydomain.com');
I'm trying to access the cookie from distant.mydomain.com using the following code:
if (isset($_COOKIE['token'])) { /* do stuff */ }
The problem: distant.mydomain.com is not finding the cookie. The if statement just mentioned returns false, even though the cookie exists.
I have verified that the cookie that is set is for mydomain.com (by checking my Firefox cookies). I can't think of any reason this wouldn't be working.
Using the same setcookie code, I have an old application running exclusively on the www.mydomain.com host, and that application is able to access the cookie across domains. This makes me suspect that the problem has to do with separate hosts.
Just in case any of the following information is pertinent:
- www.mydomain.com is IIS 6.0
- distant.mydomain.com is Apache 2.2.9
- Both servers use PHP 5.2.x
- Both servers are operating on Windows Server 2003
If there is any further information I can provide in order to better describe the problem, please let me know!
For the benefit of anyone reading this question the code and information contained in the original post are exactly correct and work fine.
The problem is when you introduce other technology. For instance, I have since learned that sending PHP code through a Python module, one that allows Django to serve PHP files/content, changes a great deal about what is accessible to the script and what is not.
This was eventually discovered following the advice of Marc Novakowski, who suggested sending $_COOKIE to the log in order to find out what was there.
I also checked out $_SERVER and $_GET. It was the emptiness of $_GET that tipped me off that the setup I am attempting to use is not as straightforward as I had thought. It was that mistaken understanding that led to not including the information about Django in the original post.
Apologies and thanks to all who responded to this question!
Cookies set in domain
'.aaa.sub.domain.com'
will collide with identically named cookies set in domain
'.sub.domain.com'
and '.some.stupidly.obscure.multi.sub.domain.com'
That means (and this took some time to wade thru) if you're going to use the same-named cookie across multiple domains, you must set it once (and once only) in the main/base domain, in this case '.domain.com'; otherwise, the resulting cookie will be indeterminantly and randomly returned arrived at, sometimes the cookie 'jasper' set in .a.sub.domain.com, sometimes the cookie 'jasper' set in .sub.domain.com, sometimes the cookie 'jasper' set in .b.c.d.domain.com, sometimes the cookie 'jasper' set in '.sub.domain.com' and sometimes the cookie 'jasper' set in '.domain.com'
Does one of the subdomains use an underscore ? IE has problems accepting cookies from subdomain's that dont follow the URI RFC.
This is asumming 'distant' is a placeholder and not the actual subdomain name and of course that you use IE. Although more browsers could very well be effected by as, Fireworks doesn't though.
I'd try installing Charles Proxy and see what headers are a) being sent to Firefox to begin with (to set the cookie) and b) which headers are being sent from Firefox to the second server. At least that way you can narrow down where the problem is (browser or server).
From php.net about the setCookie-function:
The path on the server in which the cookie will be available on. If set to '/', the cookie will be available within the entire domain . If set to '/foo/', the cookie will only be available within the /foo/ directory and all sub-directories such as /foo/bar/ of domain . The default value is the current directory that the cookie is being set in.
The domain that the cookie is available. To make the cookie available on all subdomains of example.com then you'd set it to '.example.com'. The . is not required but makes it compatible with more browsers. Setting it to www.example.com will make the cookie only available in the www subdomain. Refer to tail matching in the » spec for details.
Basically: Your 4. and 5. parameter needs to be checked: Well, your path seems to be fine, but the domain needs to be changed:
Today you block the cookie to all others than domain A, but you want it to be awailable to both domain A and B. This is a bit tricky, but can be solved. Get inspiration on 15seconds ;-)