I have a weird problem. I have a script that will add a number into an array for each visited page, then put it into cookies.
Then on another page, it will display the list of the numbers inside the cookies.
It is working perfectly on my domain (https) with the WWW : https://www.mydomain.com
Problem is that it won't work without the WWW (https://mydomain.com). There seems to be two different cookies: one for https://mydomain.com and another for https://www.mydomain.com
I also want to share the cookies for the subdomains WITHOUT https
So basically it should be the SAME cookie for:
https://www.domain.com
https://domain.com
http://subdomain.domain.com
How can i do that?
Currently, i use:
setcookie("viewed_articles", serialize($lastviewedarticles));
That is correct behavior. When you set the cookie, you need to set it for .domain.com and it will apply for all domains contained within domain.com.
setcookie("viewed_articles", serialize($lastviewedarticles), time()+60*60*24*30, '/', '.domain.com');
The code here will set the cookie for 30 days, and for the entire domain.com
See the php-docs for setcookie. You can add domain and path after the expired values.
Set path to / and domain to .mydomain.com to make the cookie global for your site.
Set the domain in the cookie, and also the http-only value active to avoid possible xss
setcookie("viewed_articles", serialize($lastviewedarticles), time()+3600, '/', '.yourdomain.com',0,1);
Related
I own a lot of subdomains, but only the main domain have SSL. On each subdomain there is a different website, and all are using the same CMS system, the same files and hosting (basicly it is redirects to the main domain and using PHP I show the site they want to see). I have one SSL to my main domain only. It won't work on subdomains obviously. So I thought to submit the form to the main domain from the subdomain using AJAX, but I guess it isn't safe, so I decided that I should use:
<iframe src="https://main.com/login.php?webid=958325&pageid=83985&hash=hjWR23grvw$%F$W"></iframe>
but the problem is the cookies. How can I create a cookie that will work on all subdomains, the main domain, and if it is possible, to some specific urls (that works the same way, but domain and not subdomain).
http://php.net/setcookie
The fifth and sixth parameter might interest you, which are respectively:
(5th) domain
(6th) secure
For example:
// This cookie will only be set to domain.com/folder if a secure connection exists and will expire once the browser closes.
setcookie('cookie', $variable, 0, 'folder/', 'domain.com', true);
To have cookie working on all subdomains you need to set cookie to .example.com but it wont work on example.com, so you may need to set two cookies.
I have actually set the following cookie for the following domain:
setcookie("thing", $data, time()+3600, "/", "example1.com", 1);
The cookie was set from this domain: example2.com
When I try to search for the cookie 'thing' I can't seem to find it. How is it possible to set a cookie on a domain, which will remain on another domain if I search for it?
UPDATE:
I basically want to pass a value from Domain A to Domain B. When a visitor arrives to Domain A he/she gets redirected AND pass a value to Domain B which I'd like to capture there.
How is it possible?
Every browser prevents it.
Cookies can not be shared between domains.
https://wikipedia.org/wiki/Same-Origin-Policy
I'm pretty sure it is impossible to create a cookie for another domain - this would be a pretty significant security hole.
See #scones' link.
IE10 appears to handle cookies and subdomains differently than other major browsers (IE8, IE9, Firefox, Chrome, Safari).
We use subdomains extensively for test environments, e.g.:
user1.devel.example.com
user2.devel.example.com
qa.example.com
And our production environment lives at the top, e.g. example.com (and technically at www.example.com as well).
We use the php setcookie($name, $value, $expires) function naively (no explicit path or domain is specified) to set a cookie, and then clear cookies (when user logs out) by assigning an empty string to the value. This has always worked fine, and each unique subdomain used their own cookies.
IE10 now "shares" the cookie that was set in the TLD with all subdomains. The initial symptom we observed was that no one could log out of the subdomain. We've observed a few things:
Even though it shares the value, no subdomain is able to clear the cookie.
When the TLD clears the cookie, it is immediately removed from all subdomains as well.
Has anyone else observed similar behavior to how IE10 stores/applies cookies relative to subdomains? Is there any workaround, other than being explicit about which domain the cookie applies to when sending the initial Set-Cookie header?
I have just run into this issue.
Here is a link to someone exploring this bug/issue:
Cookies with and without the Domain Specified (browser inconsistency)
This also might be related:
Cookie set for subdomain, but IE Developer Tools show cookie at root domain. What am I missing?
My conclusion is that when setting a cookie from a non-www root domain ( http://sites.com ), in IE this is seen as a wildcard cookie for all subdomains. Chrome and Firefox do not show this behavior - they associate a cookie set from a non-www root domain as being associated only with that root.
I coded up example sites using .net webforms, IIS and my hosts file. I had 3 sites:
a.site.com, b.site.com and site.com. They all served cookies with the exact same name. Let's call it "ShoppingCart".
You can set multiple properties on cookies, including the domain the cookie should be associated with. I left this property to be defined/left undefined by .net. When Chrome received the cookie from each site, it displayed the domain of the cookie as being explicitly from the domain listed in the browser address bar. In IE this was not the case. IE treats the cookie from http://sites.com as being defined as ".sites.com" and according to the RFC for cookies this means it is accessible from all subdomains.
Also in IE, if multiple cookies are set with the same name, IE returns them to the server in the order they were set. So if I visit http://sites.com first and then visit http://a.sites.com and then refresh, IE views the cookie from http://sites.com as a valid cookie to send to the server in it's request for http://a.sites.com which is sent along with the cookie for http://a.sites.com, except the cookie for http://sites.com is the first in the list.
In .net, from what I've seen, cookies are generally accessed by keyname and not by index. So when the server side code attempts to access the value for the key named "ShoppingCart", it will grab the value for the first site that set the cookie value - here that would be http://sites.com.
In summary - don't use non-www domains when you have subdomains that all share the same cookie key names because, while Chrome/Firefox handle the domain association as you would expect, IE causes buggy behavior.
Edit--
Just to clarify for anyone reading this, I was using IE10 to explore this issue.
Super easy way to fix this if you have multiple PHP sites on a domain.
For example - if you have Wordpress on the root (example.com) and you have a custom PHP app on the subdomain (a.example.com) then either within your app or Wordpress you need to set a different SessionName.
Add the session_name() prior to your session_start() which should give two seperate names to the session and therefore not clash.
session_name('AppSession');
session_start();
Easy.
Yes, this is a known issues it seems, read here: http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx
They refer to this test: http://debugtheweb.com/test/cookieinherit.aspx and http://www.debugtheweb.com/test/cookieinherit.aspx
I am having same issue in IE 11.0.9600 for php session cookie: Internet Explorer is sending root domain cookies to all its subdomains. To solve this, I store the domain name in a session variable:
$_SESSION['URL'] = str_replace('www.', '', $_SERVER['HTTP_HOST']);
Then for every request, I check the session variable:
if ( str_replace('www.', '', $_SERVER['HTTP_HOST']) != $_SESSION['URL']) {
session_regenerate_id(true);
$_SESSION = array();
$_SESSION['URL'] = str_replace('www.', '', $_SERVER['HTTP_HOST']);
}
Then, when we move from the root domain to the subdomain, we will not be 'in' the same session.
I'm trying to deal with two PHPSESSID cocokies. One uses the www subdirectory - so www.mydomain.com - while the other uses .mydomain.com.
As it stands now the script is able to set the cookie domain, but if another script is ran at the www subdomain before I access mydomain.com, then the cookie is set for www.mydomain.com. Then if I visit mydomain.com a cookie for .mydomain.com is set. This means that I can end up with two PHPSESSID cookies.
Is there a way to be sure of which cookie I'm dealing with in a scenario like this?
I've looked at another post but didn't come away with anything conclusive.
How to handle multiple cookies with the same name?
Why not just change the session cookie name in the php.ini?
session.name = WHATEVER_YOU_LIKE
You should instead redirect all of your traffic to one of the two. This will take care of your issue you are having and take care of duplicate search results. Use either www or no www. Check line 362:
https://github.com/h5bp/html5-boilerplate/blob/master/.htaccess
Unless you have a reason to use both www. and .
Put this at the top of the first php file that runs, like index.php or a config.php file.. before the session starts.
<?php
if(stripos($_SERVER['HTTP_HOST'],'www')===false) {
ini_set('session.cookie_domain', 'site.com');
} else {
ini_set('session.cookie_domain', 'www.site.com');
}
?>
This will cause the cookie to only be associated with 1 or the other domains, meaning that the user can have 2 cookies named PHPSESSID.
if i am setting a session in http://example.com/path/file1.php
then can't getting it in http://www.example.com/path/file2.php
but getting the value in http://example.com/path/file2.php
the "www." is creating the issue.
Is that a bug?
no, thats intended behaviour.
"" is treated as another subdomain than "www" (or other ones, if you have more subdomains), and so it's saved in a different cookie (per default, a cookies validity is per domain).
to avoid this, you could simply redirect users that enter from http://example.com/path/file1.php (or anything else with "example.com") to http://www.example.com/path/file1.php (or anything else with "www.example.com")
You can share the session cookie across all subdomains if you call session_set_cookie_params with a value of ".example.com" (notice the leading dot) in the domain parameter,
To make the cookie available on all subdomains of example.com (including example.com itself) then you'd set the domain parameter in setcookie() method to '.example.com'
[src here]