Reading cookies & cookie domains

I have two servers: the live server (mydomain.com) and the QA server (qa.mydomain.com). When I set cookies I set the domain as respectively ".mydomain.com" and ".qa.mydomain.com". One of these cookies, called "session_id" is used for authentication and login purposes. It is obvious that a cookie for one domain will not work on the other. However as I am prepending the dot to the domain PHP sometimes reads the ".domain.com" cookie on the QA server with the result that I am not able to login.

Are there ways to have PHP read t开发者_如何学Pythonhe correct cookie?

Prepending the dot means it is valid also for all subdomains. So the .mydomain.com cookie is also valid for the qa.mydomain.com.

Now it's not just PHP reading the cookie; but also the browser sending the cookies based on which domain they are valid for.

Since you're in specific talking about the session cookies, you might want to look into using named sessions. For what I can remember, the name of a session is also used in the name of the cookie. Meaning you'd have a different session name for your live and test environment.

Otherwise removing the dot would also do the trick; but I'm guessing you do want it to work for www.mydomain.com, so I don't think it's a solution ;).

See http://se2.php.net/setcookie

The domain that the cookie is available to. To make the cookie available on all subdomains of example.com (including example.com itself) then you'd set it to '.example.com'. Although some browsers will accept cookies without the initial ., » RFC 2109 requires it to be included. Setting the domain to 'www.example.com' or '.www.example.com' will make the cookie only available in the www subdomain.

You say:

It is obvious that a cookie for one domain will not work on the other.

when .mydomain.com should match all subdomains. I would remove the dot.

PHP reads all the cookies sent by the browser. Since every .qa.domain.com host is also a .domain.com host, it's normal to get all the cookies.

You'll need to either change the domain names, or change your PHP code in order to be able to identify the cookies that should be ignored from the ones that shouldn't.

I dont think that it is a PHP issue. The web browser is supposed to send the correct cookie to the appropriate web server. Some browsers may be implemented in such a way that sub-domain cookies are also sent back on main domain request.