PHP: Cookie Domain/Subdomain Control

PHP: Cookie domain / subdomain control

PHP's cookie functions automatically prefix the $domain with a dot. If you don't want this behavior you could use the header function. For example:

header("Set-Cookie: cookiename=cookievalue; expires=Tue, 06-Jan-2009 23:39:49 GMT; path=/; domain=subdomain.example.net");

Share cookie between subdomain and domain

If you set a cookie like this:

Set-Cookie: name=value

then the cookie will only apply to the request domain, and will only be sent for requests to the exact same domain, not any other subdomains. (See What is a host only cookie?)

Two different domains (e.g. example.com and subdomain.example.com, or sub1.example.com and sub2.example.com) can only share cookies if the domain attribute is present in the header:

Set-Cookie: name=value; domain=example.com

The domain attribute must "domain-match" the request URL for it to be valid, which basically means it must be the request domain or a super-domain. So this applies for both examples in the question, as well as sharing between two separate subdomains.

This cookie would then be sent for any subdomain of example.com, including nested subdomains like subsub.subdomain.example.com. (Bear in mind there are other attributes that could restrict the scope of the cookie and when it gets sent by the browser, like path or Secure).

Because of the way the domain-matching works, if you want sub1.example.com and sub2.example.com to share cookies, then you'll also share them with sub3.example.com.

Set cookie from main domain for subdomain

There are a couple of things that are required when using credentials:

withCredentials flag

The AJAX request needs to have xhr.withCredentials = true; set.

Access-Control-Allow-Credentials

The server must also respond with header('Access-Control-Allow-Credentials: true');.

Wildcard origin not allowed

When specifying withCredentials, the server cannot allow an origin of *. Therefore, you must respond with a list of valid domains:

header('Access-Control-Allow-Origin: http://sub1.domain.com,http://sub2.domain.com');

If you still want to have an arbitrary list of subdomains, you could do something like the following:

if (substr($_SERVER['HTTP_ORIGIN'], -11) === '.domain.com') {
    header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
}

This sets the allowed origin to the value of the Origin request header, but only if it's on your domain.

Issues setting session cookies in other subdomain

Same answer as here. The keypoint is the usage of withCredentials property. Not sure though, why do I have to send them even if the cookies are originated on subdomain A and set on subdomain B.

setcookie from subdomain to domain

I used Klaus Hartl's jquery cookie plugin in order to use my problem since I haven't been able to set up a global cookie from the ajax backend.

Delete cookie not working if cookie is set to all subdomains on same domain

Try this:

Cookie::queue('cookie_name', null, -1);
return Redirect::route('your_route');

Setting cookies on domain/subdomain

There are 3 ways you can separate the English and German cookies

1) Domain:
You could use a separate www. and de. subdomain as you mentioned. To me this would be the easiest

2) Path:
You can use the path, but if your English cookie is set for "/" it will still be accessible under "/de/". So if you want to go this route you'd need to make a "/en/" path as Kerrek suggested.

3) Name:
Give the German cookie a different name

You will need to do one of those 3 to have separate English and German cookies. I'd think that having a separate subdomain would be the best, because not just your cookie paths but all your asset paths will be the same regardless of language.

PHP: Cookie Domain/Subdomain Control