I've heard that cookies are small txt files. right?
when I use command setcookie() in index.php, where does it get stored? In hard drive.
Which files have access to cookies? for example:
I use setcookie() in index.php and print_r($_COOKIE) in secondpage.php and it prints fine (in same folder). but another page from outside can't. Are Cookies bound to files?
Sorry for silly question but there are many other cookies form other websites. how does my browser know which set cookies to send via HTTP Request?
What concept am i missing?
tnx
When you use setcookie withouut parameters default are used. Normally cookie is used only for the same domain and the current path.
So each time you visit website, this website may use only cookies that were set to this domain and not for other domains.
You have to be aware that if you are at
http://yourdomain.com/directory/ url
by default PHP will set cookie for /directory/ directory what mean that you won't be able to read this cookie when you are at http://yourdomain.com directory. So if you have in your domain directory-like structure you need to always set / as path when you set cookie
You can look at setcookie documentation to read more.
Related
I have two servers: the live server (mydomain.com) and the QA server (qa.mydomain.com). When I set cookies I set the domain as respectively ".mydomain.com" and ".qa.mydomain.com". One of these cookies, called "session_id" is used for authentication and login purposes. It is obvious that a cookie for one domain will not work on the other. However as I am prepending the dot to the domain PHP sometimes reads the ".domain.com" cookie on the QA server with the result that I am not able to login.
Are there ways to have PHP read the correct cookie?
Prepending the dot means it is valid also for all subdomains. So the .mydomain.com cookie is also valid for the qa.mydomain.com.
Now it's not just PHP reading the cookie; but also the browser sending the cookies based on which domain they are valid for.
Since you're in specific talking about the session cookies, you might want to look into using named sessions. For what I can remember, the name of a session is also used in the name of the cookie. Meaning you'd have a different session name for your live and test environment.
Otherwise removing the dot would also do the trick; but I'm guessing you do want it to work for www.mydomain.com, so I don't think it's a solution ;).
See http://se2.php.net/setcookie
The domain that the cookie is available to. To make the cookie available on all subdomains of example.com (including example.com itself) then you'd set it to '.example.com'. Although some browsers will accept cookies without the initial ., » RFC 2109 requires it to be included. Setting the domain to 'www.example.com' or '.www.example.com' will make the cookie only available in the www subdomain.
You say:
It is obvious that a cookie for one domain will not work on the other.
when .mydomain.com should match all subdomains. I would remove the dot.
PHP reads all the cookies sent by the browser. Since every .qa.domain.com host is also a .domain.com host, it's normal to get all the cookies.
You'll need to either change the domain names, or change your PHP code in order to be able to identify the cookies that should be ignored from the ones that shouldn't.
I dont think that it is a PHP issue. The web browser is supposed to send the correct cookie to the appropriate web server. Some browsers may be implemented in such a way that sub-domain cookies are also sent back on main domain request.
I'm running Ubuntu / nginx and php-fpm. When I open my website http://www.mydomain.com I have to log in and a session is being created by PHP. When I log on to http://mydomain.com I have to log in again and another session is being created.
How can I prevent PHP from creating new sessions and stick with one? Or is this rather a web server issue?
This is because your sessions are based on cookies, and cookies are domain specific. www.domain.com is technically a subdomain of domain.com, although it is rarely treated as such, and the browser will act as if it were a completely different server. You can work around the problem by passing the session id as a GET (or POST) parameter as appropriate.
See this page or the PHP manual for an explanation of how to do it. All you really need to do is include the constant SID in all your links etc - this is defined when you call session_start() and is a string in the format of a URL parameter.
Use session_set_cookie_params and set the domain to .mydomain.com. Also session_set_cookie_params needs to be called before each session_start
You need to specify the cookie domain to make sure the cookie is seen valid for both www and non-www http://php.net/manual/en/function.session-set-cookie-params.php
I would like to have my session work in my website when using www. AND when not using it.
I've read this thread:
PHP cookie problem - www or without www
And this would work, but I'm not creating cookies here, but sessions. How would I solve this? Also note that I don't know on which domain my scripts will run, so hardcoding the domain is not an option.
Is there a way to do this?
Thank you
EDIT:
I'm forcing that session ID's should be stored in cookies, so only this applies.
Use session_set_cookie_params function before calling session_start, it allows you to set the session domain and other things, set the domain to your domain prefixed with a . to make the session available to subdomains as well.
You can reflect php.ini for this. Add this in php.ini so that your session cookie will be saved at the place to be accessible with or without www
session.cookie_domain = .example.com
You can also try an alternate to do this
ini_set("session.cookie_domain", ".example.com");
And you can get the host name using $_SERVER['HTTP_HOST'] variable.
PHP uses cookies for the session id, so thats really the same problem (and solution). Have a look at the session configuration.
http://php.net/manual/en/session.configuration.php
Using the correct hostname across all requests is important for sessions. However, if you are going to be accessing cookies across multiple subdomains then you can specify the domain parameter with a prepended period. I.e.,
.example.com
I've experienced this problem with my cookies and your link in your post is great solving that.
So far, I'v never experienced difficulties with Sessions. It's independent from domain or sub domains, they are stored on the server-side.
You can Set in a config file a constant parameter DOMAIN_NAME, or in the DB, in prevision for your cookies, and then modify it only once.
I am trying to follow these guidelines to make my page load quicker.
I have created a static subdomain to load static content from, however it is advising me to not have cookies sent on this subdomain, any ideas on how I might be able to do this in Apache/PHP?
I've searched around and come up with nothing yet.
If you never explicitly set a cookie, cookies won't be present on the server. So, if you are using the second domain simply as a repository for images or CSS files, most likely no cookies are ever set.
Updated from Comments.
If you see a 'Request' cookie header to a subdomain you don't want to have cookies, clear your cookies and see if the server ever sends a cookie header in the Response headers. If it does, it is possible you have session.auto_start enabled, or you have a script that sets cookies.
You can check the Request and Response Headers using something like Firebug with Google Page Speed.
You can easily take care of this in PHP. When you set your cookie, the parameter that needs to be set is the domain parameter. Often, this is set to ".domain.com" to make it available on any subdomain. Instead, you might try setting it to "www.domain.com" to restrict it to that domain. Check out the PHP manual's setcookie() documentation.
In the application I'm writing using a combination of development environments and languages, I have need of accessing a cookie from two different subdomains, each on a separate host.
The cookie is being set on www.mydomain.com using the PHP code that follows, and I'm attempting to access it from distant.mydomain.com on a separate host.
setcookie('token', base64_encode(serialize($token)), time()+10800, '/', '.mydomain.com');
I'm trying to access the cookie from distant.mydomain.com using the following code:
if (isset($_COOKIE['token'])) { /* do stuff */ }
The problem: distant.mydomain.com is not finding the cookie. The if statement just mentioned returns false, even though the cookie exists.
I have verified that the cookie that is set is for mydomain.com (by checking my Firefox cookies). I can't think of any reason this wouldn't be working.
Using the same setcookie code, I have an old application running exclusively on the www.mydomain.com host, and that application is able to access the cookie across domains. This makes me suspect that the problem has to do with separate hosts.
Just in case any of the following information is pertinent:
- www.mydomain.com is IIS 6.0
- distant.mydomain.com is Apache 2.2.9
- Both servers use PHP 5.2.x
- Both servers are operating on Windows Server 2003
If there is any further information I can provide in order to better describe the problem, please let me know!
For the benefit of anyone reading this question the code and information contained in the original post are exactly correct and work fine.
The problem is when you introduce other technology. For instance, I have since learned that sending PHP code through a Python module, one that allows Django to serve PHP files/content, changes a great deal about what is accessible to the script and what is not.
This was eventually discovered following the advice of Marc Novakowski, who suggested sending $_COOKIE to the log in order to find out what was there.
I also checked out $_SERVER and $_GET. It was the emptiness of $_GET that tipped me off that the setup I am attempting to use is not as straightforward as I had thought. It was that mistaken understanding that led to not including the information about Django in the original post.
Apologies and thanks to all who responded to this question!
Cookies set in domain
'.aaa.sub.domain.com'
will collide with identically named cookies set in domain
'.sub.domain.com'
and '.some.stupidly.obscure.multi.sub.domain.com'
That means (and this took some time to wade thru) if you're going to use the same-named cookie across multiple domains, you must set it once (and once only) in the main/base domain, in this case '.domain.com'; otherwise, the resulting cookie will be indeterminantly and randomly returned arrived at, sometimes the cookie 'jasper' set in .a.sub.domain.com, sometimes the cookie 'jasper' set in .sub.domain.com, sometimes the cookie 'jasper' set in .b.c.d.domain.com, sometimes the cookie 'jasper' set in '.sub.domain.com' and sometimes the cookie 'jasper' set in '.domain.com'
Does one of the subdomains use an underscore ? IE has problems accepting cookies from subdomain's that dont follow the URI RFC.
This is asumming 'distant' is a placeholder and not the actual subdomain name and of course that you use IE. Although more browsers could very well be effected by as, Fireworks doesn't though.
I'd try installing Charles Proxy and see what headers are a) being sent to Firefox to begin with (to set the cookie) and b) which headers are being sent from Firefox to the second server. At least that way you can narrow down where the problem is (browser or server).
From php.net about the setCookie-function:
The path on the server in which the cookie will be available on. If set to '/', the cookie will be available within the entire domain . If set to '/foo/', the cookie will only be available within the /foo/ directory and all sub-directories such as /foo/bar/ of domain . The default value is the current directory that the cookie is being set in.
The domain that the cookie is available. To make the cookie available on all subdomains of example.com then you'd set it to '.example.com'. The . is not required but makes it compatible with more browsers. Setting it to www.example.com will make the cookie only available in the www subdomain. Refer to tail matching in the » spec for details.
Basically: Your 4. and 5. parameter needs to be checked: Well, your path seems to be fine, but the domain needs to be changed:
Today you block the cookie to all others than domain A, but you want it to be awailable to both domain A and B. This is a bit tricky, but can be solved. Get inspiration on 15seconds ;-)