tags:

views:

203

answers:

3
+1  Q: 

Setting cookie for site in http and https under different subdomains in PHP

Situation:

  1. I'm trying run an https store (xcart) under one domain secure.example.com and I want to have access to a cookie it sets in http www.example.com
  2. I'm running PHP on Apache (MAMP), testing in Firefox with Firecookie
  3. The existing code sets cookies to .secure.example.com. I'm not sure if this is xcart related, but setcookie is actually called using secure.example.com. I'm not sure why the "." is appended.

Problems:

  1. When I try to use setcookie in https to use the domain .example.com or just example.com, no cookie is created, whether I'm running the store under http or https. The testing code I'm using is:

    setcookie('three', 'two', 0, "/", ".example.com");

If I set the cookie to secure.example.com or .secure.example.com it does show up.

Is there a reason the cookie isn't showing up?

A: 

Did you try setcookie('three', 'two', 0, "/", ".mydomain.com"); ?

Ramesh  2010-03-17 17:39:46
I'm running this on localhost right now, so I don't have .com at the end, just www.mydomain and secure.mydomain
nilacqua  2010-03-17 17:48:30
Add a host file entry(C:\WINDOWS\system32\drivers\etc\hosts) to any domain and map it to your local machine's IP.Ensure that domain is not going through any proxies in your browser.
Ramesh  2010-03-17 19:42:50
+1  A: 

Yes - but the policy is determined by the browser (and on some browsers can be configured).

IIRC the semantics of the preceding . are explained in the cooke RFCs (2109 for the standard cookies states:

A is a FQDN string and has the form NB, where N is a non-empty name string, B has the form .B', and B' is a FQDN string. (So, x.y.com domain-matches .y.com but not y.com.)

Which I would interpret as meaning that a domian in a setcookie directive intended to be used as a wildcard match should be preceded by a '.' i.e. .example.com - however the spec goes on to say:

Domain=domain Optional. The Domain attribute specifies the domain for which the cookie is valid. An explicitly specified domain must always start with a dot.

Which to me implies the opposite.

I suggest you read it yourself and experiment.

The obvious practical solution is, in the absence of a suitable cookie, to redirect back to the cookie-setting webserver for it to check its cookie then send back another redirect to the originating server with cookie details in the query string, then drop a copy of the cookie associated with the current server.

Alternatively you may get some mileage out of using FQDNs with more sections, e.g.

secure.www.example.com

and

www.example.com

(dropping the cookie for [.]www.example.com)

HTH

C.

symcbean  2010-03-17 18:02:07
+1  A: 

The problem was that I was using localhost with a one word domain, 'mydomain', a fact which for some reason was edited out of the original message. At least firefox requires at least two words for an explicitly set cookie, something like mydomain.local. I changed the hosts file to have the domains: www.mydomain.local and secure.mydomain.local, and I was able to set the cookies to .mydomain.local.

Also I found that php automatically puts a "." in front of explicitly set cookies.

nilacqua  2010-03-17 18:49:37

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases