27

Some application, not written by me, and not in PHP, creates a cookie for the domain www.example.com.

I am trying to replace that cookie. So in PHP I did:

setcookie('mycookie','mydata',time() + 2*7*24*60*60,'/','www.example.com', false);

However the resulting cookie is created for domain: .www.example.com, note the dot "." ahead of the domain.

So it doesn't replace it, it creates another cookie. What can I do?

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Nathan H
  • 48,033
  • 60
  • 165
  • 247
  • The domains `www.domain.com` and `.www.domain.com` (note the leading dot) are treated the same, at least as per RFC 6265, which is what *every* modern browser implements. It says that the leading dot is just *ignored*. But if cookies don't successfully overwrite each other, this may be due to differences in the properties "path", "domain", "secure" or "httpOnly", which we cannot see here. In general, you may try https://github.com/delight-im/PHP-Cookie for easier cookie management. – caw Jul 12 '16 at 23:30

3 Answers3

41

The issue is also adressed here: https://www.php.net/manual/en/function.setcookie.php

See comment by jah:

If you want to restrict the cookie to a single host, supply the domain parameter as an empty string

You could also try .example.com as the domain. The trailing dot will allow a cookie for all subdomains for example.com and could overwrite the www.-cookie, but I'll go with the above solution first.

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Select0r
  • 12,234
  • 11
  • 45
  • 68
  • 1
    I was looking for the answer to this as well, and sure enough, leaving the domain blank worked. Thanks. – Andrew Ensley Mar 25 '10 at 05:26
  • 1
    Be warned, if you use and empty string for the domain you may find some browsers get confused. If you can, use getenv('HTTP_HOST') – thomas-peter Sep 08 '11 at 12:47
7

If you specify a domain, you should follow RFC 2109 and prefix the domain with a dot; otherwise the client will do that. But if you don’t specify a domain at all, the client will take the domain of the request.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • 2
    Is this default behavior documented somewhere? – marcovtwout Apr 12 '18 at 07:20
  • "If a cookie's Domain and Path attributes are not specified by the server, they default to the domain and path of the resource that was requested." link: https://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_path – sosNiLa Nov 27 '19 at 10:48
-2

Try to create several other cookie with same name, but a different domain. Example:

setcookie('mycookie','mydata1',time() + 2*7*24*60*60,'/','www.example.com', false);
setcookie('mycookie','mydata2',time() + 2*7*24*60*60,'/','www.example.com', false);
setcookie('mycookie_top','mydata1',time() + 2*7*24*60*60,'/','example.com', false);
setcookie('mycookie_top','mydata2',time() + 2*7*24*60*60,'/','example.com', false);

Then inspect the cookie created by these command in the Firebug. If you kept getting a double cookie, then this might be a bug in the PHP. Also, try to set the cookie in the JavaScript code, see if you still got the same problems.

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Donny Kurnia
  • 5,260
  • 5
  • 35
  • 52