0

So I'm creating a site where users must login. If the user wishes that the site remember his login, I set a cookie to remember this data. However, the cookie seems to be set for the site www.mysite.com. This seems to mean that if I visit my site with the address mysite.com (without the www.), the cookie can no longer be accessed. How do I make so that a cookie set on either site can be accessed by both sites?

user532493
  • 337
  • 1
  • 3
  • 11
  • 1
    Perhaps duplicate? http://stackoverflow.com/questions/348282/php-cookie-domain-subdomain-control – Rey Gonzales Jun 20 '12 at 15:45
  • Hm, tricky, you know what, counter to all good practices, let's consult [that dreadful manual](http://nl3.php.net/setcookie), and let's hope we notice the `$domain` parameter.... – Wrikken Jun 20 '12 at 15:46
  • possible duplicate of [Best way to make www.mysite.com AND mysite.com use the same session variables?](http://stackoverflow.com/questions/11080989/best-way-to-make-www-mysite-com-and-mysite-com-use-the-same-session-variables) – Quentin Jun 20 '12 at 16:37

3 Answers3

3

Brian Scott already properly answered the question, but I thought I would add this:

In my opinion if you are allowing a user to "remember" their login, then you'll want to maintain specific control over how/where/why/when and that includes maintaining a secure connection.

For my projects that involved any kind of login I always make sure I have the appropriate SSL certificate and secure connection, then I check the URL they are using to access the site and redirect to make sure they stay within my secure domain. For example I check for a www. and https prefixes and always redirect to https://www.domain.com ... just my two cents.

EDIT: In response to comment. Just real rough, but something like this:

if (($_SERVER['SERVER_PORT'] != '443') || ($_SERVER['HTTPS'] != 'on') || (!strstr ($_SERVER['HTTP_HOST'], 'www'))) {
  header ("Location: https://www.mydomain.com");
  exit();
}

2nd EDIT: Two errors in my roughly typed code.

Luke Pittman
  • 870
  • 4
  • 12
2

Set your cookie for .mysite.com instead of www.mysite.com. That way the cookie will recognize the common domain suffix and be compatible with both urls.

Brian Scott
  • 9,221
  • 6
  • 47
  • 68
  • I did what you suggested but now the opposite issue is occurring. The site reads the cookies properly on mysite.com but on www.mysite.com, the site operated as if no cookies exist. – user532493 Jun 20 '12 at 16:10
  • @user532493: I'm not sure why, I've used this method many times in the past succesfully. It might be worth posting your code that creates the cookie to ensure it's being performed correctly. – Brian Scott Jun 21 '12 at 08:45
1

You don't want to use both. Choose one, it's better for SEO as well. I would personally just redirect through the htaccess to the www and keep it standard.

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
wesside
  • 5,622
  • 5
  • 30
  • 35
  • My .htaccess file already has this directive in it: `RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ $1.php [L,QSA]` Should I just put your code right below it? – user532493 Jun 20 '12 at 16:30
  • Above it, those are just limiting the file and directories and a full url rewrite. – wesside Jun 20 '12 at 17:54