0

I'm having some pretty weird error when I want to set my session cookie.

If I use the following rule:

session_set_cookie_params(0, '/', $_SERVER['HTTP_HOST'], false, true);
//$_SERVER['HTTP_HOST'] resolves into "jscripting.nl"

It will always put a "." in front of the url and it will always make it so that my session_id will become accessable on all my subdomains, which is a problem since I develop on one of my subdomains and the session_id's might be interfering with each other.

Is there something I'm doing wrong or is something wrong with my server setup?

J. Peters
  • 23
  • 5
  • depends. what's your $_SERVER['HTTP_HOST']? – eis Mar 25 '13 at 20:31
  • Apparently just not setting the domain has resolved my problem, though I really would like not to resort to that because I can't make the session cookie httponly now. I will leave the question open in case someone has a better solution. – J. Peters Mar 25 '13 at 21:58

1 Answers1

2

$_SERVER['HTTP_HOST'] does not relate to server setup, it is coming from Host header of the request that a client makes.

If you want to use a server name that is configured on the server side, the way to do it is normally to use $_SERVER['SERVER_NAME'], though in some cases that is affected by host header, too.

Edit: apparently, any value for the domain will be default append a dot, so it will include any subdomains, and the only valid way to have it apply to current domain only is to not set the param or using raw headers to set the cookie. See more on this on subject this thread.

You can make the cookie httponly and still have it work in your case by setting null on the domain name parameter.

Community
  • 1
  • 1
eis
  • 51,991
  • 13
  • 150
  • 199
  • I know the function shouldn't append dots to the url that's why I call it a weird error. Even when I just input a string it will append a dot... – J. Peters Mar 25 '13 at 21:18
  • @J.Peters actually I was wrong and that's what the function is coded to do. See the discussion in the link I added - basically the ways to have it domain specific is to either omit the parameter or use raw header calls to set the cookie. – eis Mar 25 '13 at 22:26
  • If I were to summarize your answer in one sentence, I would say: use `session_set_cookie_params(0, '/', null, false, true);` (with the null in the 3rd arg replacing the manually-set hostname in the original example) – Frank Farmer Mar 25 '13 at 22:31
  • If we're pedantic, OP didn't ask how to fix the code, but weather he's doing something wrong or is there something wrong on the server setup, so I was trying to answer to that. But yes, to make it work, that's the thing that is needed. – eis Mar 25 '13 at 22:36
  • @eis Well I was looking for a fix, but I was not sure wether it was my fault or just the function's. But since your link has the answer in it I might as well accept it. – J. Peters Mar 26 '13 at 06:52