Greetings
I have a website with multiple subdomains, one subdomain per language: pl.example.com, en.example.cm, fr.example.com. I would like to keep one session across all subdomains so I'm setting session cookie and remember_me cookie for ".example.com". On the other hand all images should be served without cookies. Is it possible to tell the Apache to don't send cookies for this one particular subdomain (pl.example.com, en.example.com, fr.example.com - shared cookies, images.example.com - no cookies at all)
Best Regards
A.
In the appropriate httpd config section:
Header unset Set-Cookie
Or just don't try to set cookies in the first place.
I don't know a qualified solution to your question but - I'd build the structure another way:
- yourdomain.com
- /pl
- /en
- /fr
- /images
You would then be able to use mod_rewrite to rewrite your url pl.yourdomain.com to yourdomain.com/pl/.
I think this approach makes things much easier.
Related
Two questions regarding a Cookieless Domain (I've read a dozen or more posts on Cookieless domains, but some of the answers seem conflicting).
I am setting up my site to serve Static Content from a Cookieless Domain - using a subdomain and .htaccess. I have pages with many thumbnails and I don't want the cookie info sent with each image request.
In htaccess I have a rewrite rule which directs all my traffic to the www domain
RewriteBase /
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]
I created a CNAME record static.example.com and point it to www.example.com.
My image requests now point to static.example.com and in Firebug I am looking at the Net tab. The request header shows the PHP Session Cookie PHPSESSID=.... and the response header shows no Cookie.
First Question:
Is having the session cookie in the request header unavoidable, or should I be trying to get rid of this as well? All requests come from a common directory (and its subdirectories). Should I do something like this?
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
UPDATE I tried putting this in the .htaccess in the directory of the jpg files - but headers were not blocked for the images served
Second Question:
Also, do I need to explicitly set the domain property of all my cookies? Docs say that if the domain is not specified then the current domain is used as the default. My current domain should always be www, right? But in response to my last post, someone said
You'll need to explicitly set all your cookies for www.example.com so
that they won't be shared among subdomains
When looking at my www.example.com cookies (in firfox) which were set without specifying the domain, it shows the "host" as www.example.com but the "site" as example.com. It doesn't explicitly say what the "domain" is and these cookies aren't being included with the requests from static.example.com.
Thanks for your help. (If I should have posted two separate posts, let me know)
So after a long night, here is what I found:
In the end, I no longer have the session cookie showing up. In the end, I explicitly set the domain to www.example.com and the path to "/" for all cookies and once this was done (correctly), the cookie data is no longer in the request header for all file requests.
It might have worked without the domain being explicitly set. However, it was the most straightforward route and worked in the end.
I have a website with n number of sub-domains, and one reserved for static content. I need to set up a cookie across all sub-domains except the static sub-domain. My home-page is on a sub-domain-less (domain.lk) manner. It is possible to route it to www.domain.com if necessory
It is more important to keep the static sub-domain cookie free.
I have tried the following line of code before reading cookies
ini_set('session.cookie_domain', 'domain.lk');
and
ini_set('session.cookie_domain', 'www.domain.lk');
That line was present only on dynamic sub-domains. But it didn't work. Cookie was not accessible from different sub-domains.
My static sub-domain is hard coded in to many contents (database records), therefor changing that is not a good option.
There's no means of setting a domain level cookie and making it not visible on given sub-domain. (You will however need to prefix the domain with a period as such...)
ini_set('session.cookie_domain', '.domain.lk');
However, if the static domain doesn't require cookies (or indeed presumably the existence of PHP at all), the fact that this cookie doesn't exist shouldn't be an issue.
That said, you should be able to overcome this using the mod_headers Apache module on the given sub-domain (so that it's not transmitted to the browser client) via...
RequestHeader unset Set-Cookie
This question already has answers here:
PHP: SESSION lost on SUBDOMAIN
(3 answers)
Closed 9 years ago.
My site uses PHP sessions to keep track of a logged in user. Every page has session_start(); implemented properly, however in chrome when I place www. in from of the domain name it does not use the session variables. When I replace it back without the www. it works fine again, so the variables are not unset but rather just not being used.
In Firefox strangely it is the other way around. www. works and without does not. Is there a way around this? I'm having trouble because I'm using PayPal to redirect to my site and I can't have my users have to log out and back in directly after.
www.example.com and example.com are NOT the same website. They usually are, but only by convention. www.example.com is a subdomain of example.com
For this reason, cookies set on example.com will NOT be used on www.example.com and vice versa, because it would be unsafe to assume they are the same thing.
You can override this behaviour to some extent by allowing the session cookie to work on all subdomains as well as the main domain by setting the php.ini setting session.cookie_domain to .example.com (replace with your own domain name, of course)
You should either set the cookie_domain in PHP or make sure your users only see your site with www or without www. You can use .htaccess (apache server) to accomplish this.
Example to set your cookie domain for multiple subdomains:
session_set_cookie_params(0, '/', '.example.com');
session_start();
There is a website with several subdomains.
On the main subdomain cookies are set:
#setcookie( $name, $value, $expires, '/', '.www.mysite.com');
I can see the cookie on www.mysite.com and sub1.mysite.com.
The directories are:
www.mysite.com: public/index.php
sub1.mysite.com: public/sub1/index.php
How can that be possible that I can't see it in the new subdomain sub2.mysite.com?
sub2.mysite.com public/sub2/index.php
Setting the domain to 'www.example.com' or '.www.example.com' will
make the cookie only available in the www subdomain.
If you want to make the cookie available on all subdomains of example.com (including example.com itself) then you'd set it to '.example.com'.
make sure the path is set to / so it works for the whole site, otherwise it might not work for sub directories on your site
Using # is not a wise act in general but using it in front of setcookie() is exceptionally unwise, if not to say a stronger word.
Subdomain should be set to .mysite.com'
path should be set, not omitted. If you want to have access to the cookie in any directory, set path to /.
Nevertheless, the reason can be any. One have to debug their code, not asking for the possible reasons.
Why is it that if I create a cookie on www.example.com and check it on example.com, the cookie doesn't exist there? I am planning to just use .htaccess redirect non-www to a www domain. But how do I solve this?
Browsers are the main culprit here, not PHP. They store by domain, and don't know that www is a special case; from their perspective, www.mydomain.com and mydomain.com are different strings, and therefore have different security policies. However, there is something you can do.
When setting the cookie, use .mydomain.com (with the leading dot). This will tell your user's browser make the cookie accessible to mydomain.com and all subdomains, including www. PHP's setcookie has the argument $domain, but it's fifth on the list, so you may need to set $expire and $path to their default values in order to get at it.
setcookie('name', 'value', time()+3600, '/', '.mydomain.com');
For consistency, however, you may wish to consider rerouting all web traffic to a specific domain, i.e. send mydomain.com traffic to www.mydomain.com, or vice-versa. My vague knowledge of SEO (edit if incorrect) tells me that it's helpful so as not to have duplicate content, and it saves you all such authentication issues. Additionally, if you store assets on a subdomain, having cookies on there slows down traffic by having to transport it each time, so storing application cookies only on www earns you that speed boost.
Here is a tutorial on how to accomplish such a redirect in Apache.
setcookie("CookieName", "value", time()+3600, "/", ".mydomain.com");
I believe you can set the cookie at example.com (really .example.com) and it will be sent if they go to www.example.com, but not vice versa. This standard security policy is to prevent users' private data from being sent to unintended servers.
Personally, I use virtualhosts in my apache2.conf:
<VirtualHost *:80>
ServerName example.com
RedirectMatch (.*) http://www.example.com$1
</VirtualHost>
... in this example, everyone trying to load e.g. http://example.com/index.html is redirected to http://www.example.com/index.html.
because php translates www.mydomain.com differently from mydomain.com. If the domains are not 100% identical the cookie wont match.
And I'm sure the browser also looks for 100% match of the domain name before allowing servers to overwrite them.
Just use .htaccess to redirect. It's the only SURE way to tackle this in all browsers.