#1
  1. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,806
    Rep Power
    529

    Cookies with multiple URLs


    I have a web application with three basic entree points

    • http://www.mysite.com/index.php?page=123. Displays a page if $_SESSION['logged_on'] if is set, otherwise displays a logon page.
    • http://www.mysite.com/ajax.php?task=123&data=abc. Responds to AJAX requests if $_SESSION['logged_on'] is set, otherwise sends 404 header and displays missing page text.
    • http://www.mysite.com/remote.php?hash=asdlkfjasdf&data=123. Updates a database, displays some HTML, and/or supplies a document if hash is correct, otherwise sends 404 header and displays missing page text.


    My server is set up so http://www.mysite.com and http://mysite.com point to the same directory.

    Everything was working great until index.php set a cookie, and then later ajax.php tried to write to the same cookie.

    I then started looking at the various URLs using Firebug both with and without the www, and found that some had cookies associated with them, and others did not.

    Can anyone explain what is going on? Thanks
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,692
    Rep Power
    6351
    Cookies are associated with the domain that set them. If you fail to set the 4th argument to setcookie() (the "domain" argument), then the cookie binds to whatever domain you happen to have hit.

    If you go to yoursite.com/index.php which fires an ajax request to www.yoursite.com/ajax.php, ajax.php won't see the cookies set by index.php unless all your setcookie calls bind to ".yoursite.com". The dot at the beginning makes it a wildcard, critical to its success.

    Read [phpnet=setcookie]the manual page for setcookie[/phpnet] for more.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,806
    Rep Power
    529
    Thanks Dan,

    It looks like sessions experience the same behavior, and their associated cookie binds to only one domain.

    I did what you suggested, but then my cookies and sessions could get all out of whack. By the way, I am using sessions and cookies for user authentication, I want to ensure that when the user logs off, he/she logs off domains both with and without www.

    This problem relates to how cookies are available to the domain that set them and higher domains, and how cookies set by lower domains will be available to that domain.

    For instance, if I do Action A at http://www.mysite.com and then do Action B at http://mysite.com, it might create a different state had I done Action A at http://mysite.com and then do Action B at http://www.mysite.com.

    This doesn't seem right, and I want to see similar behavior.

    Looks like my options are:
    1. Set the domain of the cookies as you described, and the same for sessions using session_set_cookie_params().
    2. Redirect to a single URI. How would this best be done?
    3. Some other solution that I didn't think of?


    Any advise? Thanks
  6. #4
  7. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,301
    Rep Power
    7170
    You can set up a redirect rule to force them to one domain pretty easily using mod_rewrite.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,806
    Rep Power
    529
    Thank you E-Oreo,

    So don't bother with having the PHP application trying to set cookie domains and cookie session domains to a common domain, and instead just use mod_rewrite, correct?
  10. #6
  11. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,692
    Rep Power
    6351
    Both #1 and #2 are easy. As oreo said, #2 is an easy redirect rule. #1 is just a find/replace of all your setcookie calls. There can't be many.

    You would also have to set the session cookie's domain with session_set_cookie_params
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,806
    Rep Power
    529
    Thanks Dan,

    I agree that both are easy fixes. I am just curious whether there is a de facto standard fix to this problem, or whether one has advantages over the other.

    For instance, the mod_rewrite isn't as portable to other HTTP servers, however, that isn't a problem for my case.
  14. #8
  15. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,692
    Rep Power
    6351
    There is no de-facto "industry standard" fix for this. Some sites use oreo's solution, some use mine.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,806
    Rep Power
    529
    So is Oreo's or your solution the best
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    Sydney Australia
    Posts
    178
    Rep Power
    83
    Originally Posted by NotionCommotion
    So is Oreo's or your solution the best
    You say "to-may-to", I say "to-mar-to".
  20. #11
  21. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,692
    Rep Power
    6351
    There is no "best" in this scenario. Do whatever you think is most convenient for you and your users. Both solutions are 100% effective.

    Oreo's solution is slightly more future-proof than mine because it doesn't open you up to problems if you write a setcookie() line in the future and forget to set the host properly.

    Mine is slightly more portable than Oreo's because it allows you to move your code to a webserver or host without Oreo's rewrite rule.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  22. #12
  23. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,806
    Rep Power
    529
    Thanks Dan, So, I hear you say they are both considered good approaches and commonly used. I am okay with that. I just wanted to make sure I did not chose a direction which technically works but no one really uses it.

IMN logo majestic logo threadwatch logo seochat tools logo