在PHP中为不同子域下的http和https中的站点设置cookie
情况:
- 我正在尝试在一个域 secure.example.com 下运行 https 商店 (xcart),并且我想访问它在 http www.example.com< 中设置的 cookie /em>
- 我在 Apache (MAMP) 上运行 PHP,在 Firefox 中使用 Firecookie 进行测试
- 现有代码将 cookie 设置为
.secure.example.com。我不确定这是否与 xcart 相关,但setcookie实际上是使用secure.example.com调用的。我不确定为什么要附加“.”。
问题:
当我尝试在 https 中使用
setcookie来使用域.example.com或仅使用example.com时,没有 cookie已创建,无论我是在 http 还是 https 下运行商店。我使用的测试代码是:setcookie('三', '二', 0, "/", ".example.com");
如果我将 cookie 设置为 secure.example.com 或 .secure.example.com 它确实会显示。
cookie 没有显示有什么原因吗?
Situation:
- I'm trying run an https store (xcart) under one domain secure.example.com and I want to have access to a cookie it sets in http www.example.com
- I'm running PHP on Apache (MAMP), testing in Firefox with Firecookie
- The existing code sets cookies to
.secure.example.com. I'm not sure if this is xcart related, butsetcookieis actually called usingsecure.example.com. I'm not sure why the "." is appended.
Problems:
When I try to use
setcookiein https to use the domain.example.comor justexample.com, no cookie is created, whether I'm running the store under http or https. The testing code I'm using is:setcookie('three', 'two', 0, "/", ".example.com");
If I set the cookie to secure.example.com or .secure.example.com it does show up.
Is there a reason the cookie isn't showing up?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
问题是我使用的 localhost 带有一个单词域“mydomain”,这一事实由于某种原因被从原始消息中删除了。至少 Firefox 需要至少两个单词来显式设置 cookie,例如 mydomain.local。我更改了主机文件以包含域:www.mydomain.local 和 secure.mydomain.local,并且我能够将 cookie 设置为 .mydomain.local。
我还发现 php 会自动添加一个“.”在显式设置的 cookie 前面。
The problem was that I was using localhost with a one word domain, 'mydomain', a fact which for some reason was edited out of the original message. At least firefox requires at least two words for an explicitly set cookie, something like mydomain.local. I changed the hosts file to have the domains: www.mydomain.local and secure.mydomain.local, and I was able to set the cookies to .mydomain.local.
Also I found that php automatically puts a "." in front of explicitly set cookies.
是的 - 但该策略由浏览器确定(并且在某些浏览器上可以配置)。
IIRC 前面的语义。 Cooke RFC 中对此进行了解释(标准 cookie 的 2109 指出:
我将其解释为意在用作通配符匹配的 setcookie 指令中的 domian 前面应带有“.”。 ie .example.com - 然而规范继续说:
对我来说这意味着相反的意思。
我建议您自己阅读并进行实验。
显而易见的实用解决方案是,在没有合适的 cookie 的情况下,重定向回 cookie 设置网络服务器以检查其 cookie,然后将另一个重定向发送回原始服务器,并在查询字符串中包含 cookie 详细信息,然后删除副本与当前服务器关联的 cookie。
或者,您可以通过使用具有更多部分的 FQDN 来获得一些好处,例如
secure.www.example.com
和
www.example.com
(删除 [.]www.example.com 的 cookie)
HTH
C。
Yes - but the policy is determined by the browser (and on some browsers can be configured).
IIRC the semantics of the preceding . are explained in the cooke RFCs (2109 for the standard cookies states:
Which I would interpret as meaning that a domian in a setcookie directive intended to be used as a wildcard match should be preceded by a '.' i.e. .example.com - however the spec goes on to say:
Which to me implies the opposite.
I suggest you read it yourself and experiment.
The obvious practical solution is, in the absence of a suitable cookie, to redirect back to the cookie-setting webserver for it to check its cookie then send back another redirect to the originating server with cookie details in the query string, then drop a copy of the cookie associated with the current server.
Alternatively you may get some mileage out of using FQDNs with more sections, e.g.
secure.www.example.com
and
www.example.com
(dropping the cookie for [.]www.example.com)
HTH
C.
您是否尝试过 setcookie('三', '二', 0, "/", ".mydomain.com"); ?
Did you try
setcookie('three', 'two', 0, "/", ".mydomain.com");?