I'm having some pretty weird error when I want to set my session cookie.
If I use the following rule:
session_set_cookie_params(0, '/', $_SERVER['HTTP_HOST'], false, true);
//$_SERVER['HTTP_HOST'] resolves into "jscripting.nl"
It will always put a "." in front of the url and it will always make it so that my session_id will become accessable on all my subdomains, which is a problem since I develop on one of my subdomains and the session_id's might be interfering with each other.
Is there something I'm doing wrong or is something wrong with my server setup?
$_SERVER['HTTP_HOST'] does not relate to server setup, it is coming from Host header of the request that a client makes.
If you want to use a server name that is configured on the server side, the way to do it is normally to use $_SERVER['SERVER_NAME'], though in some cases that is affected by host header, too.
Edit: apparently, any value for the domain will be default append a dot, so it will include any subdomains, and the only valid way to have it apply to current domain only is to not set the param or using raw headers to set the cookie. See more on this on subject this thread.
You can make the cookie httponly and still have it work in your case by setting null on the domain name parameter.
Related
I need to set the PHPSESSID coockie for just two domains:
www.domain.tld
sub.domain.tld.
Other subdomains should not share the same PHPSESSID.
I can use session_set_cookies_param(), but as far as I can see, this can only set it for one domain or all subdomains.
But in my case, subdomain anothersub.domain.tld should not have this PHPSESSID.
I want this because we have images on a subdomain, and setting the PHPSESSID for all subdomains causes the browser to send the PHPSESSID cookie with the request. This has slight performance issues for static resources and it is recommended to use cookieless domains
This can't be done this way, this is unrelated to PHP. This is how cookies works in general. Only one domain (or a domain with a dot in front) can be set.
You have to use different domain for image hosting.
While as was already explained, this is not technically possible, due to the cookie “syntax”, I think you should be able to work around that, if you simply set a second cookie yourself.
Use session_set_cookies_param to have it set the cookie for www.domain.tld only.
Add your own code after session_start, that sets the “same” cookie again, just for sub.domain.tld this time.
session_name and session_id help your figure out the necessary name and value; if you want, you can also use session_get_cookie_params to match other parameters (like lifetime and maybe path, if the latter makes any sense in the given setup) as well if you like.
Edit: Keep in mind though, that if the session id might change at any other point within your app after session_start, for example if session_regenerate_id is used anywhere, you will of course have to update your second cookie there as well.
I have a website which is on (myapp.com). Now I created a separate (digitalocean) webhosting (test.myapp.com) for my testing environment.
The issue is that the saved cookies, used by myapp.com, are also being used for my test.myapp.com.
How can I make sure my cookies are only being used by one domain? Is it good practice to do so?
Thank you.
You can specify the domain while creating a cookie. Here it is the fifth parameter. You can find it in the docs as well.
If you use the cookie() helper function:
cookie('my-cookie', 'my-value', 0, null, 'myapp.com');
Make sure that your domain in config/session.php has no . in front of it, this makes the cookie work on all subdomains.
If the value is set to null, set it to the domain name for your website, including the subdomain if applicable.
If I belong to the no-www camp, cookies I have set in http://example.com would be read by http://sub-domain.example.com,
And regardless of the language I use (perl / asp.net / php / JSP) there is no way I could ever work around this issue because it is a fundamental architecture of HTTP itself, true or false ?
What I'm concerned here is, is there any DNS config that would prevent http://sub-domain.example.com from reading the cookies set in http://example.com ?
I have a domain name http://qweop.com
I have a subdomain at http://sd.qweop.com
Now, the problem is that even though I've not set any cookies on http://sd.qweop.com, when I read the cookies, there are cookies there. They are reading cookies from http://qweop.com.
How do I fix the problem so that the cookies from the main domain would not be read by (a request to) the sub-domain?
I've tried altering the 5th parameter of the php setcookie function but it doesn't seem to do anything. Basically that parameter is like useless. I'm suspecting it's a limitation of the HTTP infrastructure.
DETAILS:
http://qweop.com/set.php (try to use incognito to allow easy cookie removal)
<?php setcookie("testcookie","testvalue",time()+60*60*24*30,"/","qweop.com");?>
cookies set
http://sd.qweop.com/read.php
<?php print_r($_COOKIE); ?>
// No one had set any cookies in http://sd.qweop.com but we can see cookies here! Error!
Answer: Yes
I had better catalog the answer here after 500 hours of google research.
Basically we should always use www if we're planning to use any other sub-domains and we want them cookie-free. This is because there are different browser behaviors with regards to top-level domain cookies.
We can try our best to tell the browser "Hey's set it to just the domain and not to it's sub-domains" but as long as the url is non-www, they won't be nice and behave the way we want them to.
In fact, even if the url is not non-www, they can still do whatever they want to, there is currently no record of any browser that does that (and most likely so too into the future).
I believe you cannot do anything about it. You might try to set the cookie as:
setcookie('some_name', 'some_val', 0, '/', 'yourdomain');
but it will be set to all subdomains of yourdomain even though RFC 2109 says if the cookie is to match the subdomains it should be set with a dot as .yourdomain. All major browsers are sending it to the subdomains. I checked it with IE, FF and Chrome.
Unfortunately, DNS config has absolutely nothing to do with cookies (as long as they belong to the same 2-nd level domain, of course).
You still can have a practical answer if you ask a practical question though.
I have been losing my session variables rather consistently when I click on the link from our websites notification email. After breaking my head for a long time on this, I today realized that www.domain-name.com does not contain the session variables while domain-name.com does!!
Why does this happen? And what do I do to set things right(php-apache)?
Sessions are based on cookies, which are per-domain.
www.domain.com is a different domain than domain.com, so their cookies are kept separate.
Standard practice is to choose one variant and 301 redirect the other variant to the preferred one.
The session ID is stored in a cookie, and in the cookie can be specified how it should react over domain names.
Take a look at PHP's setcookie documentation.
You can change PHP's session cookie configuration with:
ini_set("session.cookie_domain", ".mydomain.com");
There's nothing technically special about ‘www’. The domain ‘domain.com’ is distinct from ‘www.domain.com’; if you want to associate them, that needs to be explicit somewhere, usually in the HTTP server configuration.
How to redirect with .htaccess file:
http://papermashup.com/useful-htaccess-techniques/
http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/#red2
I have the following problem - a third party software is setting a cookie with the login credentials and then forward the user to my app. I now need to retrieve the cookie values:
The problem is - I can do this easily in the Frontend/AS3 with
var ticket : String = CookieUtil.getCookie( 'ticket' ).toString();
but in PHP, the cookie is not within the $_COOKIES array.
The cookie values are:
Name: ticket
Domain: .myserver.com
Path : /
Send for: encrypted connections only
Expires: at end of session
The one I see, and set before in PHP, is:
Name: myCookie
Host: myserver.com
Path : /
Send for: any type of connection
Expires: at end of session
Actually, since host/domain are both the same, it should be visible in the PHP script, since it is running on this domain.
Any thoughts? Thankx
Martin
I don't know if this can be useful for you but, the PHP manual (cookie section) states:
Any cookies sent to you from the client will automatically be included into a
$_COOKIE auto-global array if variables_order contains "C".
You should check the php config variables_order directive in order to be shure the Cookie flag is set.
ahahah got it! $_COOKIE not $_COOKIES :)
get a habit to program in PHP with error_reporting(E_ALL) reporting level, to avoid such a silly mistakes
Could this be domain sub domain issue? I mean www.myserver.com is not 'under' .www.myserver.com ... ?
The cookie should have the domain set to ".myserver.com"
Currently the only way to get this cookie is to have a script living under ".www.myserver.com" like "app.www.myserver.com"
EDIT: The OP had a typo. But are cookies with domain "myserver.com" members of ".myserver.com" ?
Any thoughts?
Actually, cookie is not a text file. But merely HTTP header.
So, to see a real cookie, one must watch HTTP interchange log, not the files on the client PC.
I am sure watching HTTP log would bring some light on the situation. It can be dome in many ways, LiveHTTPheaders mozilla addon for example.
Both Cookie and Set-Cookie headers are to count.