Menu
Is there any way to set a cookie that is not readable on subdomains? In other words, have the cookie available on domain.com, but not www.domain.com or xyz.domain.com.
//this is what i'm "intending"...
setcookie($name,$value,$expires,'/','domain.com');
//however, this is how it behaves:
setcookie($name,$value,$expires,'/','.domain.com');
The reasoning: I'm setting up a static CDN on a subdomain and don't want the user session cookies going back and forth for every image, css file, js file, etc.
...do I have to fall back to using www.domain.com for my site? Are there any workarounds?
933
Top-Level Domains and cookiesJavaScript allows you to set a cookie available to all bar.com subdomains from within the foo.bar.com subdomain.
Note: The setcookie() function must appear BEFORE the <html> tag. Note: The value of the cookie is automatically URLencoded when sending the cookie, and automatically decoded when received (to prevent URLencoding, use setrawcookie() instead).
The setcookie() function defines a cookie to be sent along with the rest of the HTTP headers. A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each time the same computer requests a page with a browser, it will send the cookie too.
Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain.
Apparently, having a cookie on "domain.com" that will match "*.domain.com" is expected behaviour.
For instance : PERSISTENT CLIENT STATE HTTP COOKIES state (some emphasis mine) :
domain=DOMAIN_NAMEWhen searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. ...
"Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com".Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".
So, you'll either have to :
www.domain.com" for your site.anotherdomain.com")
105
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
