I'm trying to deal with two PHPSESSID cocokies. One uses the www subdirectory - so www.mydomain.com - while the other uses .mydomain.com.
As it stands now the script is able to set the cookie domain, but if another script is ran at the www subdomain before I access mydomain.com, then the cookie is set for www.mydomain.com. Then if I visit mydomain.com a cookie for .mydomain.com is set. This means that I can end up with two PHPSESSID cookies.
Is there a way to be sure of which cookie I'm dealing with in a scenario like this?
I've looked at another post but didn't come away with anything conclusive.
How to handle multiple cookies with the same name?
Why not just change the session cookie name in the php.ini?
session.name = WHATEVER_YOU_LIKE
You should instead redirect all of your traffic to one of the two. This will take care of your issue you are having and take care of duplicate search results. Use either www or no www. Check line 362:
https://github.com/h5bp/html5-boilerplate/blob/master/.htaccess
Unless you have a reason to use both www. and .
Put this at the top of the first php file that runs, like index.php or a config.php file.. before the session starts.
<?php
if(stripos($_SERVER['HTTP_HOST'],'www')===false) {
ini_set('session.cookie_domain', 'site.com');
} else {
ini_set('session.cookie_domain', 'www.site.com');
}
?>
This will cause the cookie to only be associated with 1 or the other domains, meaning that the user can have 2 cookies named PHPSESSID.
Related
I have a weird problem. I have a script that will add a number into an array for each visited page, then put it into cookies.
Then on another page, it will display the list of the numbers inside the cookies.
It is working perfectly on my domain (https) with the WWW : https://www.mydomain.com
Problem is that it won't work without the WWW (https://mydomain.com). There seems to be two different cookies: one for https://mydomain.com and another for https://www.mydomain.com
I also want to share the cookies for the subdomains WITHOUT https
So basically it should be the SAME cookie for:
https://www.domain.com
https://domain.com
http://subdomain.domain.com
How can i do that?
Currently, i use:
setcookie("viewed_articles", serialize($lastviewedarticles));
That is correct behavior. When you set the cookie, you need to set it for .domain.com and it will apply for all domains contained within domain.com.
setcookie("viewed_articles", serialize($lastviewedarticles), time()+60*60*24*30, '/', '.domain.com');
The code here will set the cookie for 30 days, and for the entire domain.com
See the php-docs for setcookie. You can add domain and path after the expired values.
Set path to / and domain to .mydomain.com to make the cookie global for your site.
Set the domain in the cookie, and also the http-only value active to avoid possible xss
setcookie("viewed_articles", serialize($lastviewedarticles), time()+3600, '/', '.yourdomain.com',0,1);
if i am setting a session in http://example.com/path/file1.php
then can't getting it in http://www.example.com/path/file2.php
but getting the value in http://example.com/path/file2.php
the "www." is creating the issue.
Is that a bug?
no, thats intended behaviour.
"" is treated as another subdomain than "www" (or other ones, if you have more subdomains), and so it's saved in a different cookie (per default, a cookies validity is per domain).
to avoid this, you could simply redirect users that enter from http://example.com/path/file1.php (or anything else with "example.com") to http://www.example.com/path/file1.php (or anything else with "www.example.com")
You can share the session cookie across all subdomains if you call session_set_cookie_params with a value of ".example.com" (notice the leading dot) in the domain parameter,
To make the cookie available on all subdomains of example.com (including example.com itself) then you'd set the domain parameter in setcookie() method to '.example.com'
[src here]
I have done a redirection from www.abc.com to www.def.com using .htaccess.
The redirection is successfull but I have a problem whereby the cookies and session can only be accessed when I access the website using def.com.
The session will be missing when it is checked from abc.com.
How to copy or read the session at def.com?
Please Help me.
well you can't do it simply. Maybe see this post ?
Your cookie containing your session id (and therefore, your entire session) is only valid on the domain where it is created. So when you change domains, the cookie is no longer available. To work around this, you could send the session ID to the new domain (which is not very safe, but you might not care), and then creating a new cookie and session for that domain.
This is called "cross site scripting" (XSS) and a lot of people work very hard to make sure that what you want isn't possible. If you do find a way to do it, be sure to let us know, because that would be a MAJOR security breach.
You can only share the same session on both domains when you have access to the session data storage from both servers. Depending on the session data storage type and location, you might need to write your own session storage handler.
Besides that, you also need to make sure that the same session ID is used on both domains. If you want to use cookies for the session ID, you can only do it when your domains share a common super-domain, so they are sub-domains of the a domain like foo.example.com and bar.example.com share the super-domain example.com. In that case you need to adjust the session cookie parameter domain and set it to value .example.com for the super-domain example.com.
Otherwise, like in your example where the domains do only share com as a top level super domain, you can’t use cookies (in the first place). But you can use the URL to transfer the session ID from one domain to the other domain. To do that you need to enable session.use_trans_sid and disable session.use_only_cookies (both at least on the redirection target domain) and append the session ID to every URL pointing from one domain to the other (here you can use the SID constant).
I am trying to share the contents of the session variable across two subdomains but for some reason it is not working.
The sessionid is exactly the same on both subdomains but the variables aren't available.
I can achieve this with Cookies and this is working but would rather use the values in the session.
Here is how I'm setting the domain for the session:
Thanks,
Scott
UPDATE
Sorry should have said, I am already using the following:
ini_set('session.cookie_domain', substr($_SERVER['SERVER_NAME'],strpos($_SERVER['SERVER_NAME'],"."),100));
if(session_id ==''){session_start();}
You are looking for this function: session_set_cookie_params().
Say you have two domains:
site1.example.com
site2.example.com
In order to share your session data across both domains, call the following functiontion before session_start():
session_set_cookie_params(0, '/', '.example.com');
(Edit: indeed I forgot a dot in the example code)
The sessionid is exactly the same on
both subdomains (..)
Are you sure that the value (not the name) of sessionid is the same?
I needed similar thing 2 years ago, but I needed it to work on completely different virtual hosts (e.g., example.com and something.else.net), so I wrote a small script that ensures that user gets the same session_id on different virtual hosts. Source code is available at http://www.misc.lv/_downloads_file.php?id=18, but there's small bug on line 58 - arguments of strpos() should be swapped (I'm too lazy to fix it and upload fixed script).
Basic requirements/steps are:
all pages should be on the same server, as they need a common "storage" for session variables;
there must be one "main" host; there's no limit on a number of "additional" hosts;
if currently opened page is on the "main host" (and it is not a request of session_id), nothing "extraordinary" has to be done;
if page is not on the "main host" and there is an active session, nothing "extraordinary" has to be done, as session_id probably has already been shared;
if page is not on the "main host" and there is no active session, request a session_id from the "main host".
i am using php 5.2.8
i have index.html, which loads LOAD.PHP from IFRAME.
iframe src="load.php".....
i printed out load.php's session id.
then i ran another test.php, and printed out it's session id.
php session id's were different.
therefore, i cannot pass any session variables....
what is happening here ? this problem did not happen before, suddenly today it started happening.... however this problem still exists....its driving me nuts !
session.saved_path is same for both.... /var/php5, cookie path is same...
If PHP is creating a second session ID on the second load of the page, then it means that the first one was not passed back properly. Likely, the cookie is not being set for some reason. Things to check:
Test in multiple browsers?
Did you disable cookies in your browser somehow?
Is the iframe on a different domain or subdomain that might prevent cookie passing?
Install LiveHTTPHeaders or some other firefox add-in to check the cookies you are receiving
http://www.example.com will have a different sessionID than http://example.com
(not really an answer as your questions doesn't seem to me to have enough data to provice a certain answer, but rather a few things to check about)
The files are in the same domain and directory and the cookie are not limited to a different directory (i.e. path=/)? (note: they're not limited unless you tell that explicitly with session_set_cookie_params)
Is the browser sending the cookie (or are you maybe in "incognito mode")? If cookies don't work PHP will probably try to pass Session IDs in the QueryString and fail, if you go to test.php writing its name manually and not following a link (usually I use session.use_only_cookies=1 to avoid that).
They will have different SID if they have different cookie domain or cookies are not working at all and PHP is configured to use only cookies for session ID (session.use_only_cookies=1).
Cookies domain is explained here
Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".
The default value of domain is the host name of the server which generated the cookie response.
So set a common domain for your hosts and they will share cookies, thus PHP SID :)