frustrated with setcookie() function

sois

i have a few sites on my domain and am having trouble setting cookies for the individual sites. My cookies keep getting mixed up. For example, my lvsl cookie reads my tpc cookie.

Here is an example of my code, what am I doing wrong? The web addresses that are being confused are www.sois.com/tpc/ and www.sois.com/lvsl/

$cookie_path = "/lvsl/";
$cookie_domain = ".sois.com";

define("COOKIE_PATH", $cookie_path);
define("COOKIE_DOMAIN", $cookie_domain);

setcookie("user", $user, time()+3600, COOKIE_PATH, COOKIE_DOMAIN);

Does something look wrong here? Is there a reason it is pulling information from different sites? Thank you guys.

scrupul0us

$cookie_domain = ".sois.com";

...makes it available to the entire domain

depending on what you are doing consider subdomains for the individual sites and then force the cookies to be valid on only those subdomains

sois

I just reviewed the setcookie() page in the PHP manual.... can I just remove the path and domain parameters from the code? Won't that restrict the cookie to the /lvsl/ path only by default?

scrupul0us

sois;10903754 wrote:
I just reviewed the setcookie() page in the PHP manual.... can I just remove the path and domain parameters from the code? Won't that restrict the cookie to the /lvsl/ path only by default?

I don't believe so, by default I believe cookies are tied to the domain and not sub folders

you are really better off from a security stand point using sub domains and forcing the cookies to be valid on those subs

sois

just to be clear, subdomains like lvsl.sois.com?

scrupul0us

sois;10903760 wrote:
just to be clear, subdomains like lvsl.sois.com?

yup... if you need help setting them up i can offer some help there too

sois

Hmm, the problem actually is a Firefox issue. It saves the passwords for only domains and not paths under a domain. So it will save a cookie for lvsl.sois.com but not sois.com/lvsl/.

This also reinforces your suggestion to use subdomains instead of paths. So my final question is:

what should I put in the path parameter of the setcookie function?

scrupul0us

i would pull the $_SERVER['HTTP_HOST'] or equivalent to determine where you are and use that

bradgrafelman

sois wrote:
can I just remove the path and domain parameters from the code? Won't that restrict the cookie to the /lvsl/ path only by default?

Yes. As per the manual for [man]setcookie[/man], "The default value is the current directory that the cookie is being set in."

scrupul0us wrote:
I don't believe so, by default I believe cookies are tied to the domain and not sub folders

Cookies have both domain and path attributes, though.

sois wrote:
Hmm, the problem actually is a Firefox issue. It saves the passwords for only domains and not paths under a domain. So it will save a cookie for lvsl.sois.com but not sois.com/lvsl/.

Not true, unless you're using some old/buggy version of Firefox. Using Firefox 3.0.6, the 'path' attribute worked as expected in my simple test case. The code I called was:

setcookie("user", "brad1", time()+3600);

in a "tcp" subdirectory and:

setcookie("user", "brad2", time()+3600);

in a "lvsl" subdirectory.

After setting cookies in one or both locations, a PHP script that echo'd out the cookie data sent revealed that only the correct data (e.g. "brad1" for the tcp folder) was outtputed, else nothing at all (since no cookie was sent for that path/domain combination).

scrupul0us

good follow up... thanks for clearing my babble up 🙂