Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cookie clash

Status
Not open for further replies.
spookie

spookie

Programmer
May 30, 2001
655
IN
i am confused.
i am setting a cookie with
setcookie("login",$user_name,0,"/");
that means the cookie is applicable from the root of my site.
if the directory structure is like
/home/httpd/html/site1/index.php of my site
now if there is some other domain on
/home/httpd/html/site2/index.php of site 2
and site 2 also sets the cookie with the same name ie login
can the two cookies clash?(the site2 specifies the domain while setting a cookie)
i mean if a user is logged in on one site can it go to the other without login even if the site is checking for cookie $login.

thanking you in advance..

spookie
 
Sort by date Sort by votes
Spookie,

Well, this really boils down to browsers, since browsers establish their own standards for accepting, reading, and modifying cookies on the clients' systems.

Netscape is overly protective and picky.

In any case, we have three domains on one server each with document root of

/home/sites/home/web and
/home/sites/home//home/sites/home/web2 respectively

If we set a cookie in domain mywebsite.com which is in ../web, we cannot access them in ../ in ../web2.

The reason? Well, this is due to security features in cookies (and for good reason!). One good reason why this is so is for the simple fact that on servers where there is virtual hosting (such as ISPs), one owner of one domain definitely does not want his/her cookies accessible by a client viewing some other domain.

If you are trying to get a cookie to be accessible between each one of your domains, good luck. There are ways to do this, but I don't think the methods would be very nice and can cause some huge security holes.

Also, if you are using PHP4, make your life easier by using PHP's session functions for instance:

session_start();

$myname = "Chad Horton";

session_register("myname");


the above starts a session and creates a cookie called myname. The wonderful thing about this is that the PHP's session suite uses the server to store session validation information (PHP session ID's, etc.) in a specified location on the server. When you register a session object (cookie), the information expires when the user closes his/her browser or you kill it yourself with session_unregister().

Hope this helps.

Chad. ICQ: 54380631
 
Upvote 0 Downvote
thanks inlandpac,

no i DONT want the cookie accessible from one site to the other.the two sites are totaly different.it doesnt make sense, isnt it? :)

i realized it when the cookies by two sites happened to be of same name and since they are client side cookie that thing came into my mind.

is there any security hole in it or should i cahnge the cookie name altogether??

thanks

spookie
 
Upvote 0 Downvote
There is no real security hole in the essence of it all, but of course, anything is possible :)

I would not worry about anything. The one cookie should never clash with the other.

I would still recommend using PHP's session functions.

Chad. ICQ: 54380631
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

LWolf
  • Locked
  • Question
Cookie not setting 1
2
Replies
21
Views
221
jpadie
jpadie
DaSe
  • Locked
  • Question
Cookie doesn't set on the server 1
Replies
4
Views
102
DaSe
DaSe
uniopp
  • Locked
  • Question
cURL Cookie Problem
Replies
2
Views
56
jpadie
jpadie
mwpclark
  • Locked
  • Question
cookie incrementing
Replies
2
Views
48
mwpclark
mwpclark
disturbedone
  • Locked
  • Question
Cookie query
Replies
3
Views
50
jpadie
jpadie

Part and Inventory Search

Sponsor

Back
Top