I have a site that uses www.example.com for standard pages and secure.example.com for HTTPS. I am trying to set a cookie when user logs in that will be valid on both the HTTP & HTTPS versions of the site.
I am doing this by setting path to "/" and domain to ".example.com". This works fine in Firefox and Internet Explorer, but in Chrome the cookie is only working on the version of the site where it was set (http://www.example.com or https://secure.example.开发者_运维百科com)
Is this a bug or am I doing something wrong? If it's a bug is there a workaround?
The cookie is being set by PHP in headers.
setcookie("login",base64_encode($email."::".md5($password)),2840184012,"/",".example.com");
You cannot set a cookie for both HTTP and HTTPS at the same time. You need to set two separate cookies, one for HTTP and one for HTTPS:
setcookie("login", base64_encode($email."::".md5($password)), 2840184012, "/", ".example.com");
setcookie("login", base64_encode($email."::".md5($password)), 2840184012, "/", ".example.com", true);
This does only work if you set the cookies in https://secure.example.com as you can only set secure cookies via HTTPS.
Oh, and by the way: Do not store the authentication information in a cookie! Use a once valid authentication token instead.
精彩评论