How to change session cookie domain for existing users

Question

My PHP web app currently has its session cookie domain set to example.com. I'd like to change it to .example.com. For new visitors, ini_set('session.cookie_domain', '.example.com') works. For visitors who already have the PHPSESSID cookie before this change is made, the domain remains at the old value. How can I change the domain on the session cookie without asking current users to delete their cookies?

• I can't use JavaScript to update the cookie because it's HTTPOnly for security reasons.
• Deleting the sessions on the server doesn't reset the whole cookie, it only updates the cookie value (keeping the domain the same).
• Modern browsers preserve the session across restarts, so even though the cookie is set to expire at the end of the browser session, the browser session effectively never ends.

The only possibility I can come up with is to set the cookie to expire in the past and then redirect to get a new cookie. But I can't know which visitors have the cookie domain set incorrectly.

Answer 1

Set a new session_name() before you start the session. That way the name of the cookie changes, and any old cookie will be ignored. Only new cookies will be sent out and work for the session.