0

I'm trying to set a cookie for use across different virtual hosts. Something similar to this has been asked multiple times here:

Cookies in subdomain doesnt work

how to access cookies on subdomain

Cookies And Subdomain

Setting cookies on domain/subdomain

cross subdomain login with cookies

Cookies and subdomains

They all mention a 'subdomain' but none describe what that is. If I have 2 Apache VHosts like so:

<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/
...
</VirtualHost>

<VirtualHost *:80>
ServerName home.example.com
DocumentRoot /var/www/home/
...
</VirtualHost>

If I log the user in at example.com and set the --and make sure to say the next word in a deep cookie monster voice-- cookie like so 

setcookie( 'id', '1234', time()+24*3600, '/', '.example.com' );

Can I get id at home.example.com like so:

RewriteCond %{HTTP_COOKIE} \bid=[0-9]+\b

Or do these cross domain cookies only work when the subdomains are set up entirely within a single virtual host (presumably with mod_rewrite)

Community
  • 1
  • 1
puk
  • 16,318
  • 29
  • 119
  • 199

1 Answers1

1

It's entirely based on the domain name. The same-origin check doesn't care about the underlying IP.

home.example.com could be:

  1. The same as example.com
  2. Different
  3. Your local box
  4. A subdomain set up by an attacker using DNS forgery.

It doesn't matter. It's still a subdomain.

Matthew Flaschen
  • 278,309
  • 50
  • 514
  • 539