Using same cookie across selective subdomains

Question

I have been trying to find out a way to share cookies across multiple subdomains.

Setting the cookie like:

setcookie('token', base64_encode(serialize($token)), time()+10800, '/', '.mydomain.com');

does exactly that. But there is a slight problem here. This will share the cookie across all subdomains.

My problem is that I have other environments (Dev and test) set up on 2 subdomains. I am looking for a way to share cookies across "Selective" subdomains. i.e. share across some subdomains, and not share amongst others. I am not sure if anything like this exists.

Any help is appreciated. Thanks.

You could just add a prefix in your cookie names. dev_token, prod_token, whatever you need to. — Tchoupi, Aug 13 '12 at 11:25
I don't think the solution for doing exactly what you want exists. What you can do is protect your cookie from being accessed by all subdomains. You can encode your cookie somehow and give selective subdomains keys to decode it back. Or you can explicitly set cookies for each of domain you need at the same time. Like you set dev_cookie and test_cookie at the same place in the code. — zysoft, Aug 13 '12 at 11:49
As far as I'm aware and others have mentioned this isn't possible. Your only solution is to name them differently. Unless you get a different domain for your dev environments, which seems a bit much. — diggersworld, Aug 13 '12 at 13:10
You might find [`$cookie->setDomain($domain)`](https://github.com/delight-im/PHP-Cookie/blob/004cde69ec840e65c15275e09b92ecb1da06f357/src/Cookie.php#L117) helpful, as found in [this standalone library](https://github.com/delight-im/PHP-Cookie). This lets you share the cookie with all subdomains or not at all. All other scenarios are not possible as per the HTTP specification. — caw, Sep 21 '16 at 03:57
would it be possible to do domain=dev*.example.com domain=prod*.example.com? — rrrm93, Nov 25 '21 at 10:51

score 1 · Answer 1 · answered Aug 14 '12 at 15:46

As far as I'm aware you can either share across all subdomains using '.mydomain.com' (as you are doing) or you have to be specific and target only one subdomain using, for example, 'test.mydomain.com'.

You can also use some tricks, or workarounds, like prefixing the cookie name and then doing the logic server side, but I'm not sure if this si the solution you are looking for.

score 0 · Accepted Answer · answered Aug 18 '12 at 02:05

After thinking and researching a lot about it and reading all the valuable comments posted above, I guess there is no straightforward solution to this.

I could have gone with the solution provided by Adrien Hingert, but that would mean an additional check everytime a user comes in.

I guess I am left with no other option but to move my dev and test environments to another domain.

Thanks a lot all of you guys for your thoughts.

score 0 · Answer 3 · edited Apr 06 '13 at 15:04

0

The attribute domain=.example.com specifically makes the cookie available by all subdomains. Just drop that attribute and the cookie can only be read by the subdomain that set it.

It's that easy.

edited Apr 06 '13 at 15:04

jnovack

7,629
2
26
40

answered Apr 06 '13 at 14:42

Frank

1

This is not valid anymore. – Goran Jakovljevic Aug 17 '20 at 15:06

score 0 · Answer 4 · answered Jan 03 '22 at 08:11

Little late to the show and UI have similar issue arrising in my development scheme of things. After banging my head here eand there obvious is clear.

Lets break it down there is a setter aka php script from a perticular domain and there is sender aka browser which sends cookies on every call made from the browser to domain.

We also know that once php script is done processing it losses connection to the browser and opens up thread for new call per say.

Broswer however uses cookies expiry date to determine what to keep in cache and what not to keep in cahche. Based on whats kept it kees on coupling the data to each call.

what we are intending to do is make script tell browser which domain to send cokkie to and which domain to not send cookie to.

Specification says only the domain which is the setter will recieve the cookie from sender. If it was not this way then we would be in lot of trouble. huge hacking gateway flooded here and there.

Based on above the php cookie function by virture only performs one operation yes we can regex bit here and there bit under the hood it is only performing single operations.

e.g.

setcookie('token', base64_encode(serialize($token)), time()+10800, '/', 'mydomain.com');

Above code is only perfoming one set of instruction as per rule of functional output. Function cannot output two outputs at the same time.

setcookie('token', base64_encode(serialize($token)), time()+10800, '/', '.mydomain.com');

The second code is also persforming single output even so '.mydomain.com' is is single output sintruction to browser. It is the browser which interputs what to do with it not php code.

now if we need to be very selctive we either have to perform two functional puts e.g.

setcookie('token', base64_encode(serialize($token)), time()+10800, '/', 'dev.mydomain.com');


setcookie('token', base64_encode(serialize($token)), time()+10800, '/', 'prod.mydomain.com');

above codes will run two sperate instructions an will limit coookies to selective domains only and so will browser too.

if we use reklative setcookie('token', base64_encode(serialize($token)), time()+10800, '/', '.mydomain.com'); then browser would use it as wild card and to be honest browser does not know whether it is meant to be selective or wikd card.

Thus only option is and it has its merits we need to rechoreogrpah our business logic and not just rely on wild carding or genric single output. Even if ther was a function it would run logic of sorts.

    function newCookie ($name,$value = "",$expires = 0,$path = "/",$domain = "",$secure = false,$httponly = false){
    
    if (is_array($domain) && sizeof($domain)>> 0){
    
    foreach ($domain as $value) { 
        setcookie($name,$value,$expires,$path,$value,$secure,$httponly);
    }
    
    
    } else {
    setcookie($name,$value,$expires,$path,$domain,$secure,$httponly);
    }
    
    };
    
    newCookie('token', base64_encode(serialize($token_value)), time()+10800, '/', ['prod.mydomain.com', 'dev.mydomain.com']);
 or simply function newCookie ($name,$value = "",$expires = 0,$path = "/",$domain = "",$secure = false,$httponly = false){

if (is_array($domain) && sizeof($domain)>> 0){

foreach ($domain as $value) { 
    setcookie($name,$value,$expires,$path,$value,$secure,$httponly);
}


} else {
setcookie($name,$value,$expires,$path,$domain,$secure,$httponly);
}

    };

    newCookie('token', base64_encode(serialize($token_value)), time()+10800, '/', 'dev.mydomain.com');

Bottom line is one has to update yoiur business logic as examplified above just do it once and it should work fine and browser would know percisely what to do.

Using same cookie across selective subdomains

4 Answers4