set php session on only www.website.tld and www.apps.website.tld_问答_开发者

set php session on only www.website.tld and www.apps.website.tld

开发者 https://www.devze.com 2023-02-24 22:50 出处：网络

I only want the session cookie on www.website.tld and www.apps.website.tld, using ini_set if possible. Also i need to set all cookies i write to both subdomains only. I do not want www.imgs.website.tld to have the cookies. the php session one i'm kinda unsure of. The cookies i set my self my idea was to call SetBothCookie($name,$value,$time) a custom function.

function SetBothCookie($name,$value,$time)
{
setcookie($name, $value, $time, "", "www.website.tld", 1);
setcookie($name, $value, $time, "", "www.apps.website.tld", 1);
}

So i think i have the SetBothCookie part down, but wanted to see what others think of that code. The开发者_开发问答 part i'm stuck on is having php set the session cookie on both sub domains. I'm using session_set_save_handler to override the default php session storage to store sessions in the database, so both servers can use the same session data. From my understanding is if i put Javascript that does http requests on the www.apps.website.tld to www.website.tld it won't allow them to happen, and i want that added security, so thats my reason of running only a part of the site on a subdomain.

This function should work but...

Using secure parameter in set_cookie() according to PHP manual

Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to TRUE, the cookie will only be set if a secure connection exists. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"]).

So I suggest to remove 6th parameter of set_cookie() function.

Also, you can call this function before any output or it will throw a warning like

Warning: Cannot modify header information - headers already sent by (output started at ...) in ... on line XX

Using session_set_save_handler() is good solution to take control over session variables.

If you want cookies for entire domain just use "/" or ".website.tld" (with initial dot according to RFC 2109 standard) for domain parameter (5th in a row). Parameter path should be "" (empty string; 4th).