I'm having this problem where the cookie not saving, and it has to do with the domain.
I am setting the domain like:
$cookie_domain = $_SERVER['HTTP_HOST'];
And setting it like:
setcookie($name, $value, time() + $cookie_lifetime, $cookie_path, $cookie_domain, $cookie_secure, $cookie_httponly);
And it doesn't not work. But if I do:
setcookie($name, $value, time() + $cookie_lifetime, $cookie_path, '', $cookie_secure, $cookie_httponly);
Its fine. What gives?
What is $_SERVER['HTTP_HOST'] value?
According to PHP: The domain that the cookie is available to. To make the cookie available on all subdomains of example.com (including example.com itself) then you'd set it to '.example.com'. Although some browsers will accept cookies without the initial ., » RFC 2109 requires it to be included. Setting the domain to 'www.example.com' or '.www.example.com' will make the cookie only available in the www subdomain.
Related
I have a web site wrote with PHP and running on Nginx HTTP server. I have a cookie called "locale" which represents the user locale. For 6 months, I am sending the cookie like this:
setCookie("locale", "fr", time() + 36000, "/");
As a cookie less domain, I understand it's only available on my single domain "www.mydomain.com".
But now, I want to create 2 news sub domains:
m.mydomain.com (the mobile part)
secure.mydomain.com (a secure version)
I see "locale" cookie set on www is not accessible by m or secure. So now I am sending the cookie like this:
setCookie("locale", "fr", time() + 36000, "/", ".mydomain.com");
Yeah my cookie is available everywhere now! But as I have some users who had already browsed my web site, they have the domain less cookie + the new one, their browser send me both cookies but PHP gives me the former one. As a result nobody can change the locale any more.
Question is: how can I migrate from this domain less cookie to a domain specified cookie? Without change the cookie name.
The first cookie you set without the domain defaulted to www.mydomain.com and because that's more specific than '.mydomain.com' it's choosing the original cookie. Read the accepted answer here.
How to get the domain of a specific cookie?
As conclusion, I will put this in my index.php file during 1 week:
setCookie('locale', null, time() - 5000, '/');
In order to delete the domain-less cookie. I have tested on all major browser, and I don't see any conflict with:
setCookie('locale', 'fr', time() + 36000, '/', '.mydomain.com');
I am having a problem with setting cookie with php. I am trying to set a cookie (id) from www.example.com/login.php and I want to use from every place on the website. for example I want to use it in:
www.example.com/main.php
www.example.com/users.php
www.example.com/login.php
this is my php code
$expire = time() + 31556926;
$cookie_id = $insert_userid;
setcookie ("id");
setcookie("id", $cookie_id, $expire, '/', 'www.example.com');
i do not have any subdomain. Also For the domain index in the setcookie function I am not sure which on to provide. www.example.com or example.com
www.example.com
If you had subdomains and wanted to allow them:
.example.com
Wikipedia is pretty useful on this:
Most browsers, by default, allow first-party cookies—a cookie with
domain to be the same or sub-domain of the requesting host. For
example, a user visiting www.example.com can have a cookie set with
domain www.example.com or .example.com, but not .com.
I wonder how this quote from the PHP manual should be interpreted:
session.cookie_domain specifies the domain to set in the session
cookie. Default is none at all meaning the host name of the server
which generated the cookie according to cookies specification.
Does it mean that when calling session_start on URL www.somedomain.com/somepage.php the cookie will have the following form:
Set-Cookie PHPSESSID=e48gh5mqggccgmn8172f0j5a06; path=/; domain=.somedomain.com
Or
Set-Cookie PHPSESSID=e48gh5mqggccgmn8172f0j5a06; path=/; domain=www.somedomain.com
I have seen on index pages the first cookie header and on other pages a header without a domain.
Can someone bring some insight on this?
Thanks
No, php will usualy set the cookie for the current domain ex: wwww.domain.com.
To have everything consistent, you must either redirect all request to the same domain, or explicitly set the cookie for all subdomains.
EDIT: actualy, this is true for Firefox. I think PHP will not actualy set the domain, so the browser is free to use whatever he wants. Internet Explorer i think will set it for any subdomain
No PHP by default never set session cookie for all subdomains.
If you want to set a cookie across all subdomains then you can do this by using this code:
<?php
$currentCookieParams = session_get_cookie_params();
$rootDomain = '.example.com';
session_set_cookie_params(
$currentCookieParams["lifetime"],
$currentCookieParams["path"],
$rootDomain,
$currentCookieParams["secure"],
$currentCookieParams["httponly"]
);
session_name('mysessionname');
session_start();
setcookie($cookieName, $cookieValue, time() + 3600, '/', $rootDomain);
?>
For reference please visit http://www.php.net/manual/en/function.session-set-cookie-params.php
It does set the cookie for the domain visible in the client's browser (so, option 2 in your question). If you want to set a cookie for all subdomains you should call session_set_cookie_params() and put ".domain.com" in the $domain parameter.
How to get session cookies working / to be accessible under domain and subdomains?
For session cookies you need to override the cookie params:
So you can either use:
ini_set('session.cookie_domain', '.website.com');
or
session_set_cookie_params(0, '/', '.website.com');
The '.' in front makes it accessible under the domain and the subdomains.
Note: you will have to delete all existing cookies from your browser for the domain you're working with so they can be re-initialized properly to work.
If you set the cookie for the "top" domain (example.com), the cookie will also apply to subdomains (sub.example.com, another.example.com).
As an aside, this is the reason why some larger companies use completely separate domains to serve static stuff, like stackoverflow uses http://sstatic.net/
I'm assuming you are using setcookie(). If so just set the cookie for ".domain.com".
setcookie("testcookie", "1", 0, "", ".domain.com");
Ok I have a cookie set, and I can clearly see it if I go to private data in Firefox... ok so when I echo it on one page in a certain directory it works, (www.example.com/dir), but on the index page of the site (www.example.com), it wont echo, it says the cookie is not set. Yes I have cookies enabled, yes I tried clearing cache and all that. Any ideas? PHP btw
Which directory are you in when the cookie gets set?
From the PHP manual on setcookie(), emphasis mine:
Path
The path on the server in which the cookie will be available on. If set to '/', the cookie will be available within the entire domain . If set to '/foo/', the cookie will only be available within the /foo/ directory and all sub-directories such as /foo/bar/ of domain . The default value is the current directory that the cookie is being set in.
Cookies can be bound to a specific domain, subdomain, path, and protocol (http/https). You need to specify the path when setting the cookie in PHP:
setcookie("TestCookie", "Value", time()+3600 , '/' );
The fourth parameter binds it to the root of the site and it will be available in any subdirectory of the main site.
If you want it available on the main domain and any subdomain, supply the fifth parameter like this:
setcookie("TestCookie", "Value", time()+3600 , '/', '.example.com' );
Now it will be readable at:
www.example.com
example.com/newdir
awesome.example.com/newdir
You need to check the path that the cookie is being set.
If it's not '/', there's your answer!
Yes try this, I was also facing this problem but resolved by below code.
setcookie("TestCookie", "Value", time()+3600 , '/' );
Set your path option; the default value is the current directory that the cookie is being set in. Because you're setting the cookie in the directory /dir , its only available within that directory or below it.
You get around this by explicitly setting the path, ie.
setcookie(name,value,expire,path,domain,secure)
Set the path to "/".
setcookie("Cookie_name", "Cookie_Value", time()+3600 , '/' );
fourth parameter ('/') will make your cookies accessible to pages in parent directories.
You need to set the $path to / in setcookie(), if you want to access it in all directories
Cookies Must Be Set Before Page Output !!!
Since cookies are sent by the script to the browser in the HTTP headers, before your page is sent, they must be set before you even send a single line of HTML or any other page output. The moment you send any sort of output, you are signalling the end of the HTTP headers. When that happens, you can no longer set any cookie. If you try, the setcookie() function will return FALSE, and the cookie will not be sent.
setcookie('cookie_username', $cookie_username, time() + (86400 * 30), "/"); // 86400 = 1 day, '/' denotes cookie available in entire directory.
and in another page:
$username = $_COOKIE['cookie_username'];
also make sure that browser is not blocking cookies.
If you want to use cookies in sub domain also:
setcookie('cookie_username', $cookie_username, time() + (86400 * 30), "/", ".subdomain.com"); // 86400 = 1 day, '/' denotes cookie available in entire directory.