In the application I'm writing using a combination of development environments and languages, I have need of accessing a cookie from two different subdomains, each on a separate host.
The cookie is being set on www.mydomain.com
using the PHP code that follows, and I'm attempting to access it from distant.mydomain.com
on a separate host.
setcookie('token', base64_encode(serialize($token)), time()+10800, '/', '.mydomain.com');
I'm trying to access the cookie from distant.mydomain.com
using the following code:
if (isset($_COOKIE['token'])) { /* do stuff */ }
The problem: distant.mydomain.com
is not finding the cookie. The if
statement just mentioned returns false, even though the cookie exists.
I have verified that the cookie that is set is for mydomain.com
(by checking my Firefox cookies). I can't think of any reason this wouldn't be working.
Using the same setcookie
code, I have an old application running exclusively on the www.mydomain.com
host, and that application is able to access the cookie across domains. This makes me suspect that the problem has to do with separate hosts.
Just in case any of the following information is pertinent:
- www.mydomain.com
is IIS 6.0
- distant.mydomain.com
is Apache 2.2.9
- Both servers use PHP 5.2.x
- Both servers are operating on Windows Server 2003
If there is any further information I can provide in order to better describe the problem, please let me know!
To share cookies across subdomains, you can simply create cookies with the domain directive set to the parent domain, in this case, example.com, rather than either of the specific subdomains.
To share a cookie between domains, you will need two domains, for example myserver.com and slave.com . One of the domains will issue the cookies and the other domain will ask the first domain what cookie should be issued to the client.
Conclusion: if a resource sets a cookie and the base domain on the resource is the same as the base domain on the web site, but the subdomain is different, popular browsers do not treat it as a third-party cookie.
The origin domain of a cookie is the domain of the originating request. If the origin domain is an IP, the cookie's domain attribute must not be set. If a cookie's domain attribute is not set, the cookie is only applicable to its origin domain.
For the benefit of anyone reading this question the code and information contained in the original post are exactly correct and work fine.
The problem is when you introduce other technology. For instance, I have since learned that sending PHP code through a Python module, one that allows Django to serve PHP files/content, changes a great deal about what is accessible to the script and what is not.
This was eventually discovered following the advice of Marc Novakowski, who suggested sending $_COOKIE
to the log in order to find out what was there.
I also checked out $_SERVER
and $_GET
. It was the emptiness of $_GET
that tipped me off that the setup I am attempting to use is not as straightforward as I had thought. It was that mistaken understanding that led to not including the information about Django in the original post.
Apologies and thanks to all who responded to this question!
Cookies set in domain
'.aaa.sub.domain.com'
will collide with identically named cookies set in domain
'.sub.domain.com'
and '.some.stupidly.obscure.multi.sub.domain.com'
That means (and this took some time to wade thru) if you're going to use the same-named cookie across multiple domains, you must set it once (and once only) in the main/base domain, in this case '.domain.com'; otherwise, the resulting cookie will be indeterminantly and randomly returned arrived at, sometimes the cookie 'jasper' set in .a.sub.domain.com, sometimes the cookie 'jasper' set in .sub.domain.com, sometimes the cookie 'jasper' set in .b.c.d.domain.com, sometimes the cookie 'jasper' set in '.sub.domain.com' and sometimes the cookie 'jasper' set in '.domain.com'
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With