Cookies with multiple URLs

I have a web application with three basic entree points

• http://www.mysite.com/index.php?page=123. Displays a page if $_SESSION['logged_on'] if is set, otherwise displays a logon page.
• http://www.mysite.com/ajax.php?task=123&data=abc. Responds to AJAX requests if $_SESSION['logged_on'] is set, otherwise sends 404 header and displays missing page text.
• http://www.mysite.com/remote.php?hash=asdlkfjasdf&data=123. Updates a database, displays some HTML, and/or supplies a document if hash is correct, otherwise sends 404 header and displays missing page text.

My server is set up so http://www.mysite.com and http://mysite.com point to the same directory.

Everything was working great until index.php set a cookie, and then later ajax.php tried to write to the same cookie.

I then started looking at the various URLs using Firebug both with and without the www, and found that some had cookies associated with them, and others did not.

Can anyone explain what is going on? Thanks

Cookies are associated with the domain that set them. If you fail to set the 4th argument to setcookie() (the "domain" argument), then the cookie binds to whatever domain you happen to have hit.

If you go to yoursite.com/index.php which fires an ajax request to www.yoursite.com/ajax.php, ajax.php won't see the cookies set by index.php unless all your setcookie calls bind to ".yoursite.com". The dot at the beginning makes it a wildcard, critical to its success.

Read the manual page for setcookie for more.

Thanks Dan,

It looks like sessions experience the same behavior, and their associated cookie binds to only one domain.

I did what you suggested, but then my cookies and sessions could get all out of whack. By the way, I am using sessions and cookies for user authentication, I want to ensure that when the user logs off, he/she logs off domains both with and without www.

This problem relates to how cookies are available to the domain that set them and higher domains, and how cookies set by lower domains will be available to that domain.

For instance, if I do Action A at http://www.mysite.com and then do Action B at http://mysite.com, it might create a different state had I done Action A at http://mysite.com and then do Action B at http://www.mysite.com.

This doesn't seem right, and I want to see similar behavior.

Looks like my options are:

1. Set the domain of the cookies as you described, and the same for sessions using session_set_cookie_params().
2. Redirect to a single URI. How would this best be done?
3. Some other solution that I didn't think of?

Any advise? Thanks

You can set up a redirect rule to force them to one domain pretty easily using mod_rewrite.

Thank you E-Oreo,

So don't bother with having the PHP application trying to set cookie domains and cookie session domains to a common domain, and instead just use mod_rewrite, correct?

Both #1 and #2 are easy. As oreo said, #2 is an easy redirect rule. #1 is just a find/replace of all your setcookie calls. There can't be many.

You would also have to set the session cookie's domain with session_set_cookie_params

Thanks Dan,

I agree that both are easy fixes. I am just curious whether there is a de facto standard fix to this problem, or whether one has advantages over the other.

For instance, the mod_rewrite isn't as portable to other HTTP servers, however, that isn't a problem for my case.

There is no de-facto "industry standard" fix for this. Some sites use oreo's solution, some use mine.

So is Oreo's or your solution the best

You say "to-may-to", I say "to-mar-to".

There is no "best" in this scenario. Do whatever you think is most convenient for you and your users. Both solutions are 100% effective.

Oreo's solution is slightly more future-proof than mine because it doesn't open you up to problems if you write a setcookie() line in the future and forget to set the host properly.

Mine is slightly more portable than Oreo's because it allows you to move your code to a webserver or host without Oreo's rewrite rule.

Thanks Dan, So, I hear you say they are both considered good approaches and commonly used. I am okay with that. I just wanted to make sure I did not chose a direction which technically works but no one really uses it.