I have problem in overwriting cookies value cross sub domains, a website running in ASP which is in www.domain.com and mobile site running in PHP with m.domain.com sharing same cookie
Cookie created in www.domain.com via asp as follow:
Response.Cookies("cookie_name")="value1"
Response.Cookies("cookie_name").Expires=DateAdd("m", 1, Date())
Response.Cookies("cookie_name").Domain = ".domain.com"
Response.Cookies("cookie_name").Path = "/"
Response.Cookies("cookie_name").Secure = false
When i tried to overwrite the value in PHP (m.domain.com) as follow:
setcookie("cookie_name",'value2',time()+60*60*24*30, "/", ".domain.com",false);
the execution return true but when i check the cookie the value wasnt change still "value1"
also had tried to set via header
header("Set-Cookie: cookie_name=value2; path=/; domain=.domain.com; expires=".gmstrftime("%A, %d-%b-%Y %H:%M:%S GMT",time()+60*60*24*30));
but still no efects, any ideas? big thanks.
Finally i made it work
header("Set-Cookie: cookie_name=value2; expires=".gmstrftime("%A, %d-%b-%Y %H:%M:%S GMT",time()+60*60*24*30)."; path=/; domain=domain.com");
Note the domain part (no dot), hope this helps others
PHP and JavaScript sometimes can't work together aswell so I recognise the problem.
I don't know how much you depend on Javascript, but you could use it to set the cookie values(echo-ing "document.cookie = "=;expires=;path="; ").
It's dirty but at least there will be one common divider to worry about; not two.....
Related
This issue appeared today and it seems to have something to do with webkit.
On pages that redirect via location [301/302] HTTP headers (404 error pages in this case) PHP cannot read the cookies - meaning the $_COOKIE is an empty array.
I'm aware of the webkit bug that using Set-Cookie and Location header in the same response breaks, but this is about reading not writing so it's supposed to be in the request headers.
I'm using the latest Chrome v26. On the backend I have PHP 5.3.10-1ubuntu3.6 on my home server, and the exact same on a production server (which i did not set up and it's not on default settings). On the production server I cannot read the cookies as I said before but on my home/dev server I can.
And it gets worse: On another server which runs PHP 5.3.3-7+squeeze14 I also can't read the cookies if the Content-Type header is not html, but text/plain.
I set the cookies the following way:
if (setcookie($name, $value, $expire, $path, null, isset($_SERVER['HTTPS']), $httponly))
{
$_COOKIE[$name] = $value;
return true;
}
return false;
$httponly is false
$path is '/'
the name consists of lowercase letters
the value consists of numbers and dashes
I can see the cookie in the Developer Tools / Resources tab and it works fine on simple html pages.
I appreciate any help.
Thanks.
the redirect page and the redirector page are at the same domain? Maybe this can being considered as a XSS attempt to stealing cookies. Try to send "Access-Control-Allow-Origin: *" header:
header("Access-Control-Allow-Origin: *" );
In my case, the problem was with session_set_cookie_params(), the parameter for the domain (the 3rd argument) was prefixed with a period ., such as ".localhost". When I removed the ., $_COOKIE variable was populated.
I have two servers, 'www.domain.local' and 'api.domain.local'. I want to set a cookie in a script on the api server that is called from the www. Chrome does not let me do that (didn't try other browsers yet)
my PHP code:
header("Access-Control-Allow-Origin:*");
echo json_encode(array("cookie"=>print_r($_COOKIE,true)));
setcookie("test","ok",time()+24000*3600,"/",".domain.local");
in my jQuery:
$.getJSON("http://api.domain.local/test.php",{
command:"setcookie"
},function(fb){
alert(fb.cookie);
});
The PHP is first returning the cookies it has, the first run this should be zero, and it is. In the header of the PHP script I see the following:
Set-Cookie:test=ok; expires=Tue, 27-Oct-2015 22:52:52 GMT; path=/; domain=.domain.local X-Powered-By:PHP/5.3.14
Which is what I expect. But the cookie isn't set. When I run the jQuery again I am expecting the cookie to be set (get an alert with the print_r of $_COOKIE), but I get nothing. One thing I noticed in the 'cookies' tab of the network resources in the debug part of Chrome is that the expiry was set as "Invalid Date". If I run the PHP script directly I don't have this problem though.
Is it possible to set a cookie in a PHP script called from jQuery and if so, how?
Let's see, set a cookie on a different domain to the one that the page is loading on and in PHP from jQuery
Someone might post how you're supposed to do it.
I might just cheat.
www.domain.local/test.html includes
$.getScript("http://api.domain.local/test.php?dowhat=setcookie");
api.domain.local/test.php is
<?php
switch ($_GET['dowhat']){
case 'showcookie':
print_r($_COOKIE);
break;
case 'setcookie':
setcookie("test",date('Y m D H:i:s'),time()+24000*3600,"/");
break;
}
header("Content-type: application/javascript"); // may as well, it expects this
die;
Now go to http://api.domain.local/test.php?dowhat=showcookie
Array ([test] => 2013 01 Thu 00:20:52 )
Ta-da!
P.S. I wouldn't advise doing it this simply if you need it to be set without someone naughty being able to cheat too.
There seems to be a problem with your code. On the first line you forgot to close your string with ".
I have set my cookie in PHP using the following:
setcookie("id", 100, time()+100000, "/AP", "www.mydomain.com", 0, true);
When I look at the cookies stored in the browser it looks like this:
Name: id
Content: 100
Domain: .www.mydomain.com
Path: /AP
Notice the . in the Domain
When I set a cookie in javascript I get the same results except:
Name: id
Content: 100
Domain: www.mydomain.com
Path: /AP
The domain is different. Why does my PHP cookie put a '.' in front of www.mydomain.com and javascript does not.
The following is the javascript code that I'm using to create a cookie:
function SetCookie(cookieName,cookieValue,nDays) {
var today = new Date();
var expire = new Date();
if (nDays==null || nDays==0) nDays=1;
expire.setTime(today.getTime() + 3600000*24*nDays);
document.cookie = cookieName+"="+escape(cookieValue)
+ ";expires="+expire.toGMTString();
}
Any ideas?
Update:
When I try to read this using the following function in javascript:
function ReadCookie(cookieName) {
var theCookie=""+document.cookie;
var ind=theCookie.indexOf(cookieName);
if (ind==-1 || cookieName=="") return "";
var ind1=theCookie.indexOf(';',ind);
if (ind1==-1) ind1=theCookie.length;
return unescape(theCookie.substring(ind+cookieName.length+1,ind1));
}
I can't get the value using the ReadCookie function (above) from the cookie that contains:
Domain: .www.mydomain.com
However the cookie that contains:
Domain: www.mydomain.com
works just fine.
So someone with the same problem can easily find the answer in the future. Here's my comment in answer form:
You're settings the cookie to httponly, meaning javascript cannot interact with it. Remove the last parameter of setcookie or set it to false and you should be able to access it using javascript.
setcookie("id", 100, time()+100000, "/AP", "www.mydomain.com", false, false);
Glad I could help!
A cookie with domain .www.mydomain.com is sent not only to www.mydomain.com, but also to subdomain.www.domain.com, sub.subdomain.www.domain.com and so on.
However, I can't reproduce the behavior you mention:
a.php
<?php
setcookie("id", 100, time()+100000, "/AP", "www.mydomain.com", 0, true);
HTTP request:
GET /a HTTP/1.1
Host: localhost:81
HTTP/1.1 200 OK
Date: Tue, 03 Aug 2010 03:49:59 GMT
Server: Apache/2.2.13 (Win32) PHP/5.3.0
X-Powered-By: PHP/5.3.0
Set-Cookie: id=100; expires=Wed, 04-Aug-2010 07:36:41 GMT; path=/AP; domain=www.mydomain.com; httponly
Content-Length: 0
Content-Type: text/html
Why does my PHP cookie put a '.' in front of www.mydomain.com and javascript does not.
PHP's probably doing it for compatibility reasons. This may vary between PHP versions.
The dot at the front means that the cookie should not just be assigned to the specified hostname, but also to any sub-domains below that hostname.
So a cookie set for .www.example.com should work on both www.example.com and site1.www.example.com.
I'm going to answer this question just so I can mark an answer, however the credit goes to: munch. If he puts an answer to this question I will delete this and use his answer. Please do not "up" vote my answer. Please "up" vote his comment under my original question.
The answer that munch gave:
#Jeff V: You're settings the cookie to http only, meaning javascript cannot interact with it. Remove the last parameter of setcookie or set it to false and you should be able to access it using javascript.
I immediately tried that and low and behold it worked! After wards I wanted to find out what they heck he was talking about. So I went to: http://php.net/manual/en/function.setcookie.php to find out what this HTTP parameter was all about.
httponly
When TRUE the cookie will be made
accessible only through the HTTP
protocol. This means that the cookie
won't be accessible by scripting
languages, such as JavaScript. This
setting can effectively help to reduce
identity theft through XSS attacks
(although it is not supported by all
browsers). Added in PHP 5.2.0. TRUE or
FALSE
munch was absolutely right. Please up his comment when reading this.
on one domain i use command as::
setcookie( "cookiename", "cookievalue", time()+86400, "/", "domain1.com" );
on other domain i used a pixel code as
<img src="http://domain1.com/?action=trackcookie" width=1 height=1 />
that url not able to read cookie , but the same url able to read cookie when it is called directly. when i put htat url as a pixel code on other domain . it is not able to read value.
what might be the problem for this ??
Best Regards,
Satish Kalepu
Hi, Yes I have checked httpwatch and firebug also..
http://www.domain1.com/tracking.php?action=setcookie
that url put cookies:
Set-Cookie topinno=1; expires=Tue, 27-Apr-2010 09:24:16 GMT; path=/
Set-Cookie newkhan=%3A+2010-04-26+14%3A54; expires=Thu, 06-May-2010 09:24:16 GMT; path=/
on domain2 this url is called: in a iframe tag..
http://www.domain1.com/tracking.php?leadno=CREATEDLEADNO&city=CITYOFTHELEAD
then those cookies are not coming...
but when i call the same url directly. again i am able to see cookies in request:
PHPSESSID=diebgrgusqofs2gckahu2nbm04; topinno=1; newkhan=%3A+2010-04-26+14%3A54; __utma=97007629.526966387.1270733785.1272261298.1272265835.45; __utmz=97007629.1270733785.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Cookies are per domain based, you couldn't able to do that in another domain.
And If you do it in same domain, expires after two days should be "expires after two days" you are missing quotes, or it should be numbers in seconds.
Many browsers optionally put limitations on ‘third-party cookies’, that is cookies set by resources served from a different hostname than the main page address. Users hate tracking beacons; you should not rely on them always working.
In particular for the default settings of IE, you must create a P3P policy promising to be nice, or the browser will refuse to allow third-party cookies.
More background.
For reasons of privacy, many browsers block cookies that come from a different domain to the page itself.
Situation:
I'm trying run an https store (xcart) under one domain secure.example.com and I want to have access to a cookie it sets in http www.example.com
I'm running PHP on Apache (MAMP), testing in Firefox with Firecookie
The existing code sets cookies to .secure.example.com. I'm not sure if this is xcart related, but setcookie is actually called using secure.example.com. I'm not sure why the "." is appended.
Problems:
When I try to use setcookie in https to use the domain .example.com or just example.com, no cookie is created, whether I'm running the store under http or https. The testing code I'm using is:
setcookie('three', 'two', 0, "/", ".example.com");
If I set the cookie to secure.example.com or .secure.example.com it does show up.
Is there a reason the cookie isn't showing up?
The problem was that I was using localhost with a one word domain, 'mydomain', a fact which for some reason was edited out of the original message. At least firefox requires at least two words for an explicitly set cookie, something like mydomain.local. I changed the hosts file to have the domains: www.mydomain.local and secure.mydomain.local, and I was able to set the cookies to .mydomain.local.
Also I found that php automatically puts a "." in front of explicitly set cookies.
Yes - but the policy is determined by the browser (and on some browsers can be configured).
IIRC the semantics of the preceding . are explained in the cooke RFCs (2109 for the standard cookies states:
A is a FQDN string and has the form NB, where N is a non-empty name
string, B has the form .B', and B' is a FQDN string. (So, x.y.com
domain-matches .y.com but not y.com.)
Which I would interpret as meaning that a domian in a setcookie directive intended to be used as a wildcard match should be preceded by a '.' i.e. .example.com - however the spec goes on to say:
Domain=domain
Optional. The Domain attribute specifies the domain for which the
cookie is valid. An explicitly specified domain must always start
with a dot.
Which to me implies the opposite.
I suggest you read it yourself and experiment.
The obvious practical solution is, in the absence of a suitable cookie, to redirect back to the cookie-setting webserver for it to check its cookie then send back another redirect to the originating server with cookie details in the query string, then drop a copy of the cookie associated with the current server.
Alternatively you may get some mileage out of using FQDNs with more sections, e.g.
secure.www.example.com
and
www.example.com
(dropping the cookie for [.]www.example.com)
HTH
C.
Did you try setcookie('three', 'two', 0, "/", ".mydomain.com"); ?