How to stop domain cookies being used for subdomains?

4
votes

I have a setup with the following domains:

mydomain.com

www.mydomain.com

There is one problem (tested on Internet Explorer): if some cookie is set for mydomain.com, this cookie is also effective for www.mydomain.com even if I set a cookie with the same name for www.mydomain.com.

More specific examople:

1) the user chooses his prefered language on website mydomain.com and I set the cookie usrlng=en

2) next day someone else uses the same computer, naviagtes to www.mydomain.com and chooses his language, and I set the usrlng=de. But Internet Explorer keeps sending both cookies usrlng=en and usrlng=de to the server (I see this in Fiddler)! Why is it sending the same cookie twice and not overriding 'usrlng' with the subdomain value?

At the same time I see that PHPSESSID is being overwritten correctly for the subdomain, there are no two PHPSESSID cookies being sent to the server.

How can I fix the usrlng cookie and make it work the same way as PHPSESSID works?

2
cookiesoverridingsubdomain

2 Answers

3
votes

You can also set a different save_path for each... so they don't share the sessions. PHP example:

$subdomain = array_shift(explode('.',$_SERVER['HTTP_HOST']));

ini_set('session.save_path','D:\website_sessions\'.$subdomain.'\');

ini_set('session.save_path','D:\website_sessions\'.$subdomain.'\');

PHP needs access to write in the sessions directory.

2
votes

For now I solved the problem by setting the 'host' of the cookie instead of 'domain'; 'host' property allowed to limit the cookie to mydomain.com or www.mydomain.com.

Maybe that is the only way to go and 'domain' cannot be set up to oveeride top level domain cookies.