Why is it that if I create a cookie on www.example.com and check it on example.com, the cookie doesn't exist there? I am planning to just use .htaccess redirect non-www to a www domain. But how do I solve this?
views:
291answers:
4
A:
because php translates www.mydomain.com differently from mydomain.com. If the domains are not 100% identical the cookie wont match.
And I'm sure the browser also looks for 100% match of the domain name before allowing servers to overwrite them.
Just use .htaccess to redirect. It's the only SURE way to tackle this in all browsers.
Vance
2010-02-26 22:03:46
Prefixing the domain with a period fixes the problem. Exact match is not required.
TheJacobTaylor
2010-02-26 22:11:06
"because php translates"... It has nothing to do with php and everything to do with the browsers. Browsers don't send every cookie they have to the website. They only pick the one(s) that have matching domain names.
Chris Lively
2010-02-26 22:11:38
+10
A:
Browsers are the main culprit here, not PHP. They store by domain, and don't know that www is a special case; from their perspective, www.mydomain.com and mydomain.com are different strings, and therefore have different security policies. However, there is something you can do.
When setting the cookie, use .mydomain.com (with the leading dot). This will tell your user's browser make the cookie accessible to mydomain.com and all subdomains, including www. PHP's setcookie has the argument $domain, but it's fifth on the list, so you may need to set $expire and $path to their default values in order to get at it.
setcookie('name', 'value', time()+3600, '/', '.mydomain.com');
For consistency, however, you may wish to consider rerouting all web traffic to a specific domain, i.e. send mydomain.com traffic to www.mydomain.com, or vice-versa. My vague knowledge of SEO (edit if incorrect) tells me that it's helpful so as not to have duplicate content, and it saves you all such authentication issues. Additionally, if you store assets on a subdomain, having cookies on there slows down traffic by having to transport it each time, so storing application cookies only on www earns you that speed boost.
Here is a tutorial on how to accomplish such a redirect in Apache.
Matchu
2010-02-26 22:06:39
You're close on the SEO stuff. It doesn't matter if you pick to do it with or without the www; as long as you pick one and stick with it.
Chris Lively
2010-02-26 22:10:05
www.* is not a special case. It's a convention, but it has no codified meaning in the http/cookie RFCs. It'd be pretty absurd for browsers to magically give www special treatment. Regardless, +1.
Frank Farmer
2010-02-26 23:33:30
Yeeaah, it's not. But before you learn enough, a lot of the inner workings of the internet seem like magic, so I'm willing to take things gradually when explaining ;)
Matchu
2010-02-26 23:59:05
A:
I believe you can set the cookie at example.com (really .example.com) and it will be sent if they go to www.example.com, but not vice versa. This standard security policy is to prevent users' private data from being sent to unintended servers.
Personally, I use virtualhosts in my apache2.conf:
<VirtualHost *:80>
ServerName example.com
RedirectMatch (.*) http://www.example.com$1
</VirtualHost>
... in this example, everyone trying to load e.g. http://example.com/index.html is redirected to http://www.example.com/index.html.
njahnke
2010-02-26 22:08:41
+1
A:
setcookie("CookieName", "value", time()+3600, "/", ".mydomain.com");
scopus
2010-02-26 22:08:46