tags:

views:

478

answers:

1
+1  Q: 

Google Chrome Cookies - HTTP & HTTPS

I have a site that uses www.example.com for standard pages and secure.example.com for HTTPS. I am trying to set a cookie when user logs in that will be valid on both the HTTP & HTTPS versions of the site.

I am doing this by setting path to "/" and domain to ".example.com". This works fine in Firefox and Internet Explorer, but in Chrome the cookie is only working on the version of the site where it was set (http://www.example.com or https://secure.example.com)

Is this a bug or am I doing something wrong? If it's a bug is there a workaround?

The cookie is being set by PHP in headers.

setcookie("login",base64_encode($email."::".md5($password)),2840184012,"/",".example.com");
+2  A: 

You cannot set a cookie for both HTTP and HTTPS at the same time. You need to set two separate cookies, one for HTTP and one for HTTPS:

setcookie("login", base64_encode($email."::".md5($password)), 2840184012, "/", ".example.com");
setcookie("login", base64_encode($email."::".md5($password)), 2840184012, "/", ".example.com", true);

This does only work if you set the cookies in https://secure.example.com as you can only set secure cookies via HTTPS.

Oh, and by the way: Do not store the authentication information in a cookie! Use a once valid authentication token instead.

Gumbo  2010-02-18 15:52:36
Tried as you suggested but this still doesn't work in Chrome. I am using header("Location: http://www.example.com") right after setting the cookie if this makes a difference?
Tim  2010-02-18 15:54:47
@Tim: And you’re setting these cookies via HTTPS?
Gumbo  2010-02-18 16:02:27
Yes correct I tested on HTTPS. The cookie works on both HTTP and HTTPS sites in all my browsers except Chrome where it only works on the HTTPS site.
Tim  2010-02-18 16:10:25
@Tim: So the HTTP cookie is not set when requesting via HTTPS?
Gumbo  2010-02-18 16:18:00
Chrome sends the cookie to server on HTTPS pages but is not sending it to the HTTP pages. Here is the header being sent by server:Set-Cookie login=blahblahblah; expires=Thu, 01-Jan-2060 12:00:12 GMT; path=/; domain=.example.com login=blahblahblah; expires=Thu, 01-Jan-2060 12:00:12 GMT; path=/; domain=.example.com; secure
Tim  2010-02-18 16:27:06
@Tim: I think Chrome assumes that you want a secure cookie if you set it via HTTPS. So it only stores one. Did you try it with different cookie names?
Gumbo  2010-02-18 16:34:46
Sorry for the delayed response. Using different cookie names did the trick. Although it didn't work for overwriting the cookie later when user logs out, I had to overwrite the HTTPS one first then redirect to HTTP page to overwrite the standard one. Thanks for your help with this.
Tim  2010-02-23 10:22:28

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases