I’m working on a site with multiple subdomains, some of which should get their own session.
I think I’ve got it worked out, but have noticed something about cookie handling that I don’t understand. I don’t see anything in the docs that explains it, so thought I would see if anyone here has some light to shed on the question.
If I just do:
session_start();
I end up with a session cookie like this:
subdomain.example.net
However, if I make any attempt to set the cookie domain myself, either like
ini_set('session.cookie_domain', 'subdomain.example.net');
or like
session_set_cookie_params( 0, "/", "subdomain.example.net", false, false);
I end up with a cookie for .subdomain.example.net (note the opening dot), which I believe means “match all subdomains (or in this case sub-subdomains).
This seems to happen with all my cookies actually, not just session. If I set the cookie domain myself, it automatically has the dot prepended, meaning this domain and all subs of it. If I don’t set the domain, then it gets it right by using only the current domain.
Any idea what causes this, and what I can do to control that prepending dot?
Thanks!
Advertisement
Answer
PHP’s cookie functions automatically prefix the $domain with a dot. If you don’t want this behavior you could use the header function. For example:
header("Set-Cookie: cookiename=cookievalue; expires=Tue, 06-Jan-2009 23:39:49 GMT; path=/; domain=subdomain.example.net");