PHP cookie writes on incorrect domain

Question

I have a cookie that I use on my app. It looks like this:

+-------+-------+-----------------------+-------+----------+
| Name  | Value | Domain                | Path  | Expires  |
+-------+-------+-----------------------+-------+----------+
| foo   | bar   | my.domain.tld         | /     | Session  |
+-------+-------+-----------------------+-------+----------+

In a section of my script, based on some condition, I'm trying to change the value of a cookie. I'm using this code:

// overwrite cookie
if($condition){
  setcookie("foo", "cat", 0, "/", "my.domain.tld");
}

Afterward, my cookie data looks like this:

+-------+-------+-----------------------+-------+----------+
| Name  | Value | Domain                | Path  | Expires  |
+-------+-------+-----------------------+-------+----------+
| foo   | bar   | my.domain.tld         | /     | Session  |
| foo   | cat   | .my.domain.tld        | /     | Session  |
+-------+-------+-----------------------+-------+----------+

How come a . is be prepended to the domain? I want to overwrite the existing cookie.

makes no sense, it *must* be set to anything.domain.tld otherwise there is a big bug somewhere - the only thing I dare suggest, is that you check again and ensure that the first cookie isn't in fact set to .anything rather than the second.. — nathan, Jul 06 '10 at 19:46
Nathan, it looks like it's not a bug so much as it might be a common source for confusion. See the answer below :) — maček, Jul 06 '10 at 19:53
You might find [`$cookie->setDomain($domain)`](https://github.com/delight-im/PHP-Cookie/blob/004cde69ec840e65c15275e09b92ecb1da06f357/src/Cookie.php#L117) helpful, as found in [this standalone library](https://github.com/delight-im/PHP-Cookie). It takes care of normalizing the domain name that you provided. — caw, Sep 21 '16 at 04:23

score 1 · Answer 1 · answered Jul 06 '10 at 19:41

1

http://www.php.net/manual/en/function.setcookie.php#93641

The answer is discussed in a post on the php manual.

Cookie data is set by the browsing agent, and so is handled differently depending on the process the browser uses.

answered Jul 06 '10 at 19:41

DeaconDesperado

9,977
9
47
77

score 0 · Answer 2 · answered Jul 06 '10 at 19:44

0

From the documentation:

The domain that the cookie is available. To make the cookie available on all subdomains of example.com then you'd set it to '.example.com'. The . is not required but makes it compatible with more browsers. Setting it to www.example.com will make the cookie only available in the www subdomain. Refer to tail matching in the » spec for details.

And the tail matching spec is here:

http://curl.haxx.se/rfc/cookie_spec.html

answered Jul 06 '10 at 19:44

Zak

24,947
11
38
68

I should've been more specific. By `anything` I meant the subdomain could be anything. I didn't want to narrow answers down to a `www` specific subdomain. To be more precise, I don't want the cookie to match *all* subdomains for the domain. I updated my question. – maček Jul 06 '10 at 19:51

score 0 · Accepted Answer · answered Jul 06 '10 at 19:49

As it turns out, specifying no domain seems to work:

setcookie("foo", "cat", 0, "/");

Expected cookie data:

+-------+-------+-----------------------+-------+----------+
| Name  | Value | Domain                | Path  | Expires  |
+-------+-------+-----------------------+-------+----------+
| foo   | cat   | my.domain.tld         | /     | Session  |
+-------+-------+-----------------------+-------+----------+

Strange, but it works.

PHP cookie writes on incorrect domain

3 Answers3