If I belong to the no-www camp, cookies I have set in http://example.com would be read by http://sub-domain.example.com,
And regardless of the language I use (perl / asp.net / php / JSP) there is no way I could ever work around this issue because it is a fundamental architecture of HTTP itself, true or false ?
What I'm concerned here is, is there any DNS config that would prevent http://sub-domain.example.com from reading the cookies set in http://example.com ?
I have a domain name http://qweop.com
I have a subdomain at http://sd.qweop.com
Now, the problem is that even though I've not set any cookies on http://sd.qweop.com, when I read the cookies, there are cookies there. They are reading cookies from http://qweop.com.
How do I fix the problem so that the cookies from the main domain would not be read by (a request to) the sub-domain?
I've tried altering the 5th parameter of the php setcookie function but it doesn't seem to do anything. Basically that parameter is like useless. I'm suspecting it's a limitation of the HTTP infrastructure.
DETAILS:
http://qweop.com/set.php (try to use incognito to allow easy cookie removal)
<?php setcookie("testcookie","testvalue",time()+60*60*24*30,"/","qweop.com");?>
cookies set
http://sd.qweop.com/read.php
<?php print_r($_COOKIE); ?>
// No one had set any cookies in http://sd.qweop.com but we can see cookies here! Error!
Answer: Yes
I had better catalog the answer here after 500 hours of google research.
Basically we should always use www if we're planning to use any other sub-domains and we want them cookie-free. This is because there are different browser behaviors with regards to top-level domain cookies.
We can try our best to tell the browser "Hey's set it to just the domain and not to it's sub-domains" but as long as the url is non-www, they won't be nice and behave the way we want them to.
In fact, even if the url is not non-www, they can still do whatever they want to, there is currently no record of any browser that does that (and most likely so too into the future).
I believe you cannot do anything about it. You might try to set the cookie as:
setcookie('some_name', 'some_val', 0, '/', 'yourdomain');
but it will be set to all subdomains of yourdomain even though RFC 2109 says if the cookie is to match the subdomains it should be set with a dot as .yourdomain. All major browsers are sending it to the subdomains. I checked it with IE, FF and Chrome.
Unfortunately, DNS config has absolutely nothing to do with cookies (as long as they belong to the same 2-nd level domain, of course).
You still can have a practical answer if you ask a practical question though.
Related
I need to set the PHPSESSID coockie for just two domains:
www.domain.tld
sub.domain.tld.
Other subdomains should not share the same PHPSESSID.
I can use session_set_cookies_param(), but as far as I can see, this can only set it for one domain or all subdomains.
But in my case, subdomain anothersub.domain.tld should not have this PHPSESSID.
I want this because we have images on a subdomain, and setting the PHPSESSID for all subdomains causes the browser to send the PHPSESSID cookie with the request. This has slight performance issues for static resources and it is recommended to use cookieless domains
This can't be done this way, this is unrelated to PHP. This is how cookies works in general. Only one domain (or a domain with a dot in front) can be set.
You have to use different domain for image hosting.
While as was already explained, this is not technically possible, due to the cookie “syntax”, I think you should be able to work around that, if you simply set a second cookie yourself.
Use session_set_cookies_param to have it set the cookie for www.domain.tld only.
Add your own code after session_start, that sets the “same” cookie again, just for sub.domain.tld this time.
session_name and session_id help your figure out the necessary name and value; if you want, you can also use session_get_cookie_params to match other parameters (like lifetime and maybe path, if the latter makes any sense in the given setup) as well if you like.
Edit: Keep in mind though, that if the session id might change at any other point within your app after session_start, for example if session_regenerate_id is used anywhere, you will of course have to update your second cookie there as well.
Framework: Laravel 5.1
Problem browsers: All versions of IE (inc. Edge)
Problem: When posting a form a cookie is set when the user is send back after submitting the form.
return Response::make($view)->withCookie(cookie('parameters', json_encode($request->except(['_token']))))
This works in ALL browsers, except of course Internet explorer (why does this browser still exists?!)
In internet explorer i get an empty array when i dump the cookie. I've tried a lot. I'm not using iframes, but i did try to use P3P headers without success, i've set IE to the lowest security level possible, also without success. I'm not using suddomains or underscores in the cookiename. I tried it on multiple domains without success, i tried it on apache, nginx, and in my local env. (homestead) it also does not work.
It looks like the cookie isn't set (while in all other browsers it is being set). Unfortunately IE does not have an option or possible add-on to easily check al stored cookies (like all other browsers do). But i`m almost certain the cookie doesn't get stored. This is strange, because laravel's session cookies are stored.
I think i already spent a half a day on this, but cant find any solutions. If i would get payed for all the hours i spend on weird bugs with IE, i would be a very rich man. Will stop bashing IE now, but men, what a horrible browser.
edit: Other things i tried: Timezone checks, date checks, server time etc. All didnt work
Maybe you should try renaming session cookie to a alpha numeric string. It's laravel_session which is causing problem in IE. I remember last month when I deployed my app with session cookie (domain.com) and I got similar token mismatch error in every browser due to . in session name.
I tried to Google and came up with this:
Security patch MS01-055 prevents servers with improper name syntax
from setting cookies names. Domains that use cookies must use only
alphanumeric characters ("-" or ".") in the domain name and the server
name. Internet Explorer blocks cookies from a server if the server
name contains other characters, such as an underscore character ("_").
Because ASP session state and session variables rely on cookies to
function, ASP cannot maintain session state between requests if
cookies cannot be set on the client.
This issue can also be caused by an incorrect name syntax in a host
header.
Source: https://support.microsoft.com/en-us/kb/316112
Q5: IE won’t set a cookie when the hostname/domain contains an
underscore?
A: Correct. Technically, an underscore (like this _ ) is not a DNS
character, and while Windows will let you use an underscore when
naming your machine, it warns you that doing so may cause problems.
One such problem is that WinINET blocks attempts to set cookies on
such domains. See http://support.microsoft.com/kb/316112/en-us
http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx
I have been losing my session variables rather consistently when I click on the link from our websites notification email. After breaking my head for a long time on this, I today realized that www.domain-name.com does not contain the session variables while domain-name.com does!!
Why does this happen? And what do I do to set things right(php-apache)?
Sessions are based on cookies, which are per-domain.
www.domain.com is a different domain than domain.com, so their cookies are kept separate.
Standard practice is to choose one variant and 301 redirect the other variant to the preferred one.
The session ID is stored in a cookie, and in the cookie can be specified how it should react over domain names.
Take a look at PHP's setcookie documentation.
You can change PHP's session cookie configuration with:
ini_set("session.cookie_domain", ".mydomain.com");
There's nothing technically special about ‘www’. The domain ‘domain.com’ is distinct from ‘www.domain.com’; if you want to associate them, that needs to be explicit somewhere, usually in the HTTP server configuration.
How to redirect with .htaccess file:
http://papermashup.com/useful-htaccess-techniques/
http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/#red2
I have configured the wildcard DNS of *.mydomain.com and it's all working properly. My question is which of these should I rely on identifying client subdomain requests?
$_SERVER["HTTP_HOST"]
$_SERVER["SERVER_NAME"]
$_SERVER["SCRIPT_URI"]
They all seem to contain the subdomain part I want but after reading this article by Chris: http://shiflett.org/blog/2006/mar/server-name-versus-http-host, I'm lost at sea and there appears to be no safe way to do this?
Any idea on accomplishing this task securely? Which approach would you prefer?
Update: sorry, I meant this post: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
HTTP_HOST comes directly from the HOST header. Apache does not clean it up in any way. Even for non-wildcard setups, your first virtualhost in your config will receive a request for a HOST header that doesn't match any of your configured vhosts, so you have to be careful with it. Treat it like any other user data. Filter it appropriately before using it.
I'd suggest that you get the current page url, then use a regular expression to check. Be sure to ignore things link www, www2, etc.
You can use any but most use HTTP_HOST.
You don't have to worry about 'security' here since you allow a wildcard for your subdomains. You won't be able to stop a user from entering a 'threatening' subdomain and sending a request to your server.
If you want to disallow certain subdomains then you have several options but thats a different question.
$subdomain = explode('.', $_SERVER['HTTP_HOST'], -2);
Returns an array always, and can be empty if there is no sub domain. You should also make sure to notice that this could return www as an array value and that would link to your root domain anyway.
Too much talk of such a little problem.
Everyone says its dangerous but noone bother to write a solution, as simple as
$mydomain='example.com';
$subdomain="";
$matches=array();
$pat='!([a-z0-9_]+)\.'.preg_quote($mydomain).'$!i';
if (preg_match($pat,$_SERVER['HTTP_HOST'],$matches)) $subdomain=$matches[1];
We have a local intranet site that everyone on the network uses. Maybe 5% (or even less) of the users that use the site have problems where the session isn't stored properly.
I've tried defining a path manually (C:/Coookieess) and checking to see what's going on. Whereas most users' sessions are created and remain just fine, on the affected machines it seems that it either forgets the cookies are there or it can't read them, and then goes on to create a new cookie almost every time a page is refreshed.
Things to note are...
it only affects <5% of users
it only happens when using IE
it happens to those users regardless of what machine theyre using
it only happens with Windows XP or Vista - Windows 2000 works fine!
I've tried messing with the security settings in IE too, changing the cookie security to allow all cookies/sessions, but no luck on that either unfortunately :(
Any help would be amazing. I'm really stuck on this.
Thanks!
Just a random idea, and probably not relevant, but worth mentioning just in case - are the date and times set correctly on the computers you are having problems with?
I had the exact same issue and found that adding the P3P header before starting the session corrected it.
header('P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"');
session_start();
One other thing you might want to check: are they using a proxy of any sort?
One of the PHP projects I worked on seemed to have troubles with sessions when the app was run on the intranet. Turned out that all of the IE installations had been set up to run through the corporate proxy which seemed to screw up every now and again...
A new cookie can get created when the site doesn't perceive one to be present or passed along from the previous request...
Is there anything about the site, your network or your clients that is causing the cookie hash to not be propagated between requests?
Use an HTTP analyzer (fiddler, nettool) to find out.
Not really got enough info to go on, but one thing that might be happening is that if you're storing the session in a cookie, you might have ended up with a cookie too large for IE to handle.
The definition of "Too Large" varies from browser to browser and OS to OS, though.
any chance your internal domain has an underscore in it? i.e. http://dev_server.example.net
Usage of underscores as DNS characters is kind of hazy. FF/Safari will work just fine, but IE will fail to set a cookie if it comes from a domain with an underscore
Most public registrars will prevent you from using bad characters, but internally there's nothing stopping you.
We came across an issue a fair while ago that would appear to be the same as this - sporadic appearance, only affecting older IE users.
At the time any resources or commentary was quite hazy, so we were never fully able to diagnose the issue - the closest information we found was to do with IE not playing nice with g-zipped data.
Anyway - solution we found that fixed our issue -
Manually set a content-type header through PHP, while removing the HTML declaration
header ("content-type: text/html; charset=utf-8");
Set your site to send a P3P (compact security policy) header.
See http://www.sitepoint.com/article/p3p-cookies-ie6/2/
Could it be that 5% of the users have user information that, when retrieved from the cookie, disrupts the proper reading/decoding/parsing of the cookie server-side?