Making Cookies Accessible for Several Domains

Making Cookies Accessible for Several Domains

setcookie('version', phpversion(), 0, '.example.com');

One part of the Set-Cookie header sent by a server is the domain that has access to this cookie. If not sent specifically, this value defaults to the domain that is sending the cookie. Setting this domain to a completely different value, for example, the domain of an ad server (so-called third-party cookies; used to try to generate a profile of the user), does not always work because many browsers allow to specifically disable that. (See Figure 5.5 for an example in the old Netscape 4.x browser that was already capable of doing so.)

Setting the Domain for a Cookie (setcookie-domain.php)

<?php
  setcookie('version', phpversion(), 0,
    '.example.com');
?>
Tried to send cookie.

Figure 5.5. Even Netscape 4.x allows you to block cookies that do not use the originating domain.

However, in some instances it is required that the cookies work on several third-level domains or subdomains, for instance www.example.com, store.example.com, and ssl.example.com. Examples for this are large websites with many subdomains, such as Amazon and eBay. They require that all top-level domains (TLDs) are supported. To achieve this, the domain of the cookiefourth parameter of setcookie()has to be set. Here comes the trick:

All domain names are valid, as long as they contain two dots. So, if you set the domain to ".example.com", all third-level domains of example.com have access to this cookie. There is one "but": Pages on http://example.com/ cannot access this cookie. So, you might want to try to set the domain to "example.com"; however, this does not conform with the specification and might not be supported with all browsers.