Posted by Andy Hassall on 10/30/06 12:45

On Fri, 27 Oct 2006 15:06:03 GMT, readmy@otherlips.com wrote:

>In article <6ak0h.38690$3l5.205@reader1.news.jippii.net>,
>spam@outolempi.net says...
>> Sessions are per domain. For www.mydomain.com there is one session, and for
>> mydomain.com there is anothe
>
>A session is supposed to be a session with a particular host.
>
>Actually PHP uses host names for sessions if you look in PHPSESSID but it
>puts the domain name in by mistake. Hence his problem.

Here's an example cookie header from PHP 4.4.4:

Set-Cookie: PHPSESSID=94c296afc759879918361534d1b89014; path=/

It doesn't set the domain; it relies on the default, correct, behaviour that
the cookie applies to the host from which it was issued.

>Now that all "domains" are being registered both with AND without the
>particular service name (WWW FTP etc) - IE as host names - this is going
>to be a big problem for PHP if it isn't sorted real soon.

No it isn't, and neither is this new.

What do you suggest as the solution? That all session cookies should have
their domain set to the TLD of the host issuing them? Then you end up with the
sessions leaking across domains, which is much worse.

If you want to modify the properties of the session cookie for your particular
circumstances, PHP has the session_set_cookie_params function.

--
Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

[Back to original message]