I have two servers: the live server (mydomain.com) and the QA server (qa.mydomain.com). When I set cookies I set the domain as respectively ".mydomain.com" and ".qa.mydomain.com". One of these cookies, called "session_id" is used for authentication and login purposes. It is obvious that a cookie for one domain will not work on the other. However as I am prepending the dot to the domain PHP sometimes reads the ".domain.com" cookie on the QA server with the result that I am not able to login.
Are there ways to have PHP read the correct cookie?
Prepending the dot means it is valid also for all subdomains. So the .mydomain.com cookie is also valid for the qa.mydomain.com.
Now it's not just PHP reading the cookie; but also the browser sending the cookies based on which domain they are valid for.
Since you're in specific talking about the session cookies, you might want to look into using named sessions. For what I can remember, the name of a session is also used in the name of the cookie. Meaning you'd have a different session name for your live and test environment.
Otherwise removing the dot would also do the trick; but I'm guessing you do want it to work for www.mydomain.com, so I don't think it's a solution ;).
See http://se2.php.net/setcookie
The domain that the cookie is available to. To make the cookie available on all subdomains of example.com (including example.com itself) then you'd set it to '.example.com'. Although some browsers will accept cookies without the initial ., » RFC 2109 requires it to be included. Setting the domain to 'www.example.com' or '.www.example.com' will make the cookie only available in the www subdomain.
You say:
It is obvious that a cookie for one domain will not work on the other.
when .mydomain.com should match all subdomains. I would remove the dot.
PHP reads all the cookies sent by the browser. Since every .qa.domain.com host is also a .domain.com host, it's normal to get all the cookies.
You'll need to either change the domain names, or change your PHP code in order to be able to identify the cookies that should be ignored from the ones that shouldn't.
I dont think that it is a PHP issue. The web browser is supposed to send the correct cookie to the appropriate web server. Some browsers may be implemented in such a way that sub-domain cookies are also sent back on main domain request.
Related
I currently store cookies on my site at .domain.com, as I have a few subdomains that share the cookies (like authentication). I wanted to setup a test site so I could show some features publicly, so I setup a test.domain.com, which obviously gets the .domain.com cookies, but I'd like it not to. Is there some way for me to set it up so my test site reads only the cookies at .test.domain.com?
The 2 domains mydomain.com and subdomain.mydomain.com can only share cookies if the domain is explicitly named in the Set-Cookie header. Otherwise, the scope of the cookie is restricted to the request host.
For instance, if you sent the following header from subdomain.mydomain.com:
Set-Cookie: name=value
Then the cookie won't be sent for requests to mydomain.com. However if you use the following, it will be usable on both domains:
Set-Cookie: name=value; domain=mydomain.com
In [RFC 2109][1], a domain without a leading dot meant that it could not be used on subdomains, and only a leading dot (.mydomain.com) would allow it to be used across subdomains.
However, modern browsers respect the newer specification [RFC 6265][2], and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.
In summary, if you set a cookie like the second example above from mydomain.com, it would be accessible by subdomain.mydomain.com, and vice versa.
See also: www vs no-www and cookies, this test script
So I have an iframed page of my subdomain in my main domain, and this subdomain page requires user to be logged in and have a membership to be accessed.
Basically I need that the session variables and cookie are passed to the subdomain in order for the iframe to load.
How can I achieve this in Nginx ?
Cookies have a domain attribute, which specifies which domains they will be sent to from the client. For example, in PHP's setcookie function the 5th argument accepts a $domain string to set in the cookie. By default it's left blank which means it will use the domain the request came from when the client receives it.
The domain that the cookie is available to. Setting the domain to 'www.example.com' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.
So if you set your cookie to your main domain the client UA won't have a problem making it available to your sub domain.
Now, iframes are little trickier, however. For example, Internet Explorer can treat iframes differently due its varying privacy policy rules and block all cookies from an iframe. See this question for more details. However, Nginx really shouldn't play anything more than a passive role in all of this.
I'm running Ubuntu / nginx and php-fpm. When I open my website http://www.mydomain.com I have to log in and a session is being created by PHP. When I log on to http://mydomain.com I have to log in again and another session is being created.
How can I prevent PHP from creating new sessions and stick with one? Or is this rather a web server issue?
This is because your sessions are based on cookies, and cookies are domain specific. www.domain.com is technically a subdomain of domain.com, although it is rarely treated as such, and the browser will act as if it were a completely different server. You can work around the problem by passing the session id as a GET (or POST) parameter as appropriate.
See this page or the PHP manual for an explanation of how to do it. All you really need to do is include the constant SID in all your links etc - this is defined when you call session_start() and is a string in the format of a URL parameter.
Use session_set_cookie_params and set the domain to .mydomain.com. Also session_set_cookie_params needs to be called before each session_start
You need to specify the cookie domain to make sure the cookie is seen valid for both www and non-www http://php.net/manual/en/function.session-set-cookie-params.php
I would like to have my session work in my website when using www. AND when not using it.
I've read this thread:
PHP cookie problem - www or without www
And this would work, but I'm not creating cookies here, but sessions. How would I solve this? Also note that I don't know on which domain my scripts will run, so hardcoding the domain is not an option.
Is there a way to do this?
Thank you
EDIT:
I'm forcing that session ID's should be stored in cookies, so only this applies.
Use session_set_cookie_params function before calling session_start, it allows you to set the session domain and other things, set the domain to your domain prefixed with a . to make the session available to subdomains as well.
You can reflect php.ini for this. Add this in php.ini so that your session cookie will be saved at the place to be accessible with or without www
session.cookie_domain = .example.com
You can also try an alternate to do this
ini_set("session.cookie_domain", ".example.com");
And you can get the host name using $_SERVER['HTTP_HOST'] variable.
PHP uses cookies for the session id, so thats really the same problem (and solution). Have a look at the session configuration.
http://php.net/manual/en/session.configuration.php
Using the correct hostname across all requests is important for sessions. However, if you are going to be accessing cookies across multiple subdomains then you can specify the domain parameter with a prepended period. I.e.,
.example.com
I've experienced this problem with my cookies and your link in your post is great solving that.
So far, I'v never experienced difficulties with Sessions. It's independent from domain or sub domains, they are stored on the server-side.
You can Set in a config file a constant parameter DOMAIN_NAME, or in the DB, in prevision for your cookies, and then modify it only once.
In the application I'm writing using a combination of development environments and languages, I have need of accessing a cookie from two different subdomains, each on a separate host.
The cookie is being set on www.mydomain.com using the PHP code that follows, and I'm attempting to access it from distant.mydomain.com on a separate host.
setcookie('token', base64_encode(serialize($token)), time()+10800, '/', '.mydomain.com');
I'm trying to access the cookie from distant.mydomain.com using the following code:
if (isset($_COOKIE['token'])) { /* do stuff */ }
The problem: distant.mydomain.com is not finding the cookie. The if statement just mentioned returns false, even though the cookie exists.
I have verified that the cookie that is set is for mydomain.com (by checking my Firefox cookies). I can't think of any reason this wouldn't be working.
Using the same setcookie code, I have an old application running exclusively on the www.mydomain.com host, and that application is able to access the cookie across domains. This makes me suspect that the problem has to do with separate hosts.
Just in case any of the following information is pertinent:
- www.mydomain.com is IIS 6.0
- distant.mydomain.com is Apache 2.2.9
- Both servers use PHP 5.2.x
- Both servers are operating on Windows Server 2003
If there is any further information I can provide in order to better describe the problem, please let me know!
For the benefit of anyone reading this question the code and information contained in the original post are exactly correct and work fine.
The problem is when you introduce other technology. For instance, I have since learned that sending PHP code through a Python module, one that allows Django to serve PHP files/content, changes a great deal about what is accessible to the script and what is not.
This was eventually discovered following the advice of Marc Novakowski, who suggested sending $_COOKIE to the log in order to find out what was there.
I also checked out $_SERVER and $_GET. It was the emptiness of $_GET that tipped me off that the setup I am attempting to use is not as straightforward as I had thought. It was that mistaken understanding that led to not including the information about Django in the original post.
Apologies and thanks to all who responded to this question!
Cookies set in domain
'.aaa.sub.domain.com'
will collide with identically named cookies set in domain
'.sub.domain.com'
and '.some.stupidly.obscure.multi.sub.domain.com'
That means (and this took some time to wade thru) if you're going to use the same-named cookie across multiple domains, you must set it once (and once only) in the main/base domain, in this case '.domain.com'; otherwise, the resulting cookie will be indeterminantly and randomly returned arrived at, sometimes the cookie 'jasper' set in .a.sub.domain.com, sometimes the cookie 'jasper' set in .sub.domain.com, sometimes the cookie 'jasper' set in .b.c.d.domain.com, sometimes the cookie 'jasper' set in '.sub.domain.com' and sometimes the cookie 'jasper' set in '.domain.com'
Does one of the subdomains use an underscore ? IE has problems accepting cookies from subdomain's that dont follow the URI RFC.
This is asumming 'distant' is a placeholder and not the actual subdomain name and of course that you use IE. Although more browsers could very well be effected by as, Fireworks doesn't though.
I'd try installing Charles Proxy and see what headers are a) being sent to Firefox to begin with (to set the cookie) and b) which headers are being sent from Firefox to the second server. At least that way you can narrow down where the problem is (browser or server).
From php.net about the setCookie-function:
The path on the server in which the cookie will be available on. If set to '/', the cookie will be available within the entire domain . If set to '/foo/', the cookie will only be available within the /foo/ directory and all sub-directories such as /foo/bar/ of domain . The default value is the current directory that the cookie is being set in.
The domain that the cookie is available. To make the cookie available on all subdomains of example.com then you'd set it to '.example.com'. The . is not required but makes it compatible with more browsers. Setting it to www.example.com will make the cookie only available in the www subdomain. Refer to tail matching in the » spec for details.
Basically: Your 4. and 5. parameter needs to be checked: Well, your path seems to be fine, but the domain needs to be changed:
Today you block the cookie to all others than domain A, but you want it to be awailable to both domain A and B. This is a bit tricky, but can be solved. Get inspiration on 15seconds ;-)