Using Cookies Across Subdomains
By Flib
2009-05-04
Category: PHP
Problem
You have many sites. example.com, store.example.com, admin.example.com etc... how do you allow sessions and cookies to work across them all? By default it starts a new session for each hostname.
Solution
Cookies
Cookies in PHP are set using the setcookie() function. Further details can be found from http://php.net/setcookie
Cookies have many attributes. these include
- name
- value
- expire
- path
- domain
- secure and
- httponly
Name
For a cookie, its name is how its identified on both the browser and the server. For PHP sessions this cookie is commonly PHPSESSID.
Value
The value can be up to approx 4k long according to the standard. For PHP sessions a 32character string is used, with any data associated with the session left on the server in a session file (or other store if an alternate session handler has been used) this removes one of the security issues associated with cookies in that cookies can be edited by the user if they know what they are doing.
Expire
If set to zero, the cookie will expire when the browser session is ended. If non-zero, the time specifies when the cookie is no longer valid. For sessions, this is only half the issue, as old sessions may be cleaned up by the 'garbage collector' when they reach expiry on the server (set by the session.cache_timeout config directive (default to 3 hours)). By default this is set to 0 and cookies are valid only until the browser closes.
Path
Setting a path allows a cookie to be restricted to parts of the site that begin with a certain url prefix. For example, '/store' would restrict the cookies from being sent by the browser for any url on the same domain that doesn't start with '/store'. By default this is left empty and is valid for the whole site.
Domain
This allows the domain that the cookie is valid for to be modifed. By default, the cookie is valid only for the http hostname that was used to request the page. ie www.example.com. If this is overridden with something like .example.com then any subdomains of the example.com domain will also receive the cookie. This can allow subdomains to also use the same session if session.cookie_domain is changed.
Secure
This allows the setting of cookies that will only be sent by the browser over a secure (HTTPS) connection.
Httponly
This allows the setting of cookies that will only ever be sent back to the server and will not be accessible from any client side scripting languages. Note: This will not stop a determined attacked, but is more of use to stop cookies being hijacked by cross-site scripting attacks.
Sessions
PHP session support works using two methods of passing a session id to the browser.
The first method is for a cookie to be set containing the session id of the user. This is the default and generally more reliable method.
The second method is to turn on transparent session id support and on output of the html page, each relative link will have the session id appended to it if cookie based sessions aren't supported. This can work even when cookies are actively refused. This is a fragile method and is generally more painful that its worth when it breaks and we wont go into this mode of operation anymore in this article.
Since you have probably already read the section above on cookies, you will probably understand the use of the cookie settings.
Most session cookie settings can be set in three places. I will use the domain as the example, but most of the other cookie attributes have equivilent settings for sessions. http://php.net/manual/en/session.configuration.php
The first, which applies to all vhosts on the server is in the php.ini file (generally /etc/php.ini or an included file)
This option is session.cookie_domain which by default is empty. Empty means use the current http hostname.
If this is set, then session cookies will only be set for domains that match this directive unless overrode locally. This can be a pain to debug if you don't know what you are looking for.
The second place is in the httpd.conf file (or the .htaccess file) using the php_value session.cookie_domain "" option.
The last place is in the script itself using ini_set('session.cookie_domain','');