Setting up session cookies

Quick overview about cookies

Actually, one of the most accurate and complete information about cookies that I've found is located at wikipedia.

For the purpose of this document, we need to configure PHP cookies so they are only visible from the domain that creates them. This may sound trivial, but it may be specially tricky when more than one web application installed on differents subdomains or directories are involved.

If the browser is correctly configured, it will protect the user privacy by restricting access to the cookies based on domain name, path, etc. ie. a cookie created from domain foo.com won't be visible from bar.com (completely different domains). However, depending on how they are created (in this case, depending on PHP settings), cookies from foo.example.com could (or could not) be visible from bar.example.com (different subdomains) or cookies from www.example.com/foo could (or could not) be visible from www.example.com/bar (different paths).

It should be noted that using the P3P there might be much more possibilites, but this specification is not directly supported by the default implementation of PHP session, therefore I think, this is beyond the scope of this document.

More References:

• HTTP_cookie (wikipedia.org)
• CookieCentral ("You have zero privacy anyway" -Scott McNealy)
• Information About Cookies (microsoft.com)
• The original cookies specification (netscape.com)

Quick overview of the most important options in PHP

• session.name

  Specifies the name of the cookie that will be used to store the session id (or the name of the GET/POST variable, if cookies are just an alternative method to transfer this data).

  The default value (PHPSESSID) is often good enough. However, you may wish to choose a unique name for each application installed behind the same domain. It should only contain alphanumeric characters.

• session.domain

  Specifies the domain name associated with the session cookie. It defaults to blank, nothing at all, meaning the host name of the server will be used, according to the cookie specs.

  I would recommend to always set this value to the fully qualified domain name of your site. ie. something like www.example.com or forums.example.com. That way, each session cookie will only be visible from its own domain.

  However, if you need to share this cookie between different subdomains, you may need to choose the most common part of the domain name. ie. if you need to share the cookie between www.example.com and forums.example.com, then you would have to specify ".example.com" (including the leading dot) for this parameter.

• session.path

  Specifies the path associated with the session cookie. It defaults to /. ie. the root of your web site. Meaning the cookie will be visible from any path. Note that visibility also depends on the domain name.

  The default value is ok for normal circumstancies, but if you run more than one application on the same fully qualified domain, you may want to specify their own paths here, if you need to protect them. For example, if you have applications installed at www.example.com/foo and www.example.com/bar, then you would have to specify '/foo' and '/bar' respectively.

• session.secure

  Specifies whether cookies should only be sent over secure connections. It defaults to off, which is ok for normal use, but if your site uses HTTPS you would have to enable this option. Otherwise, cookies would not be transmitted.

More information?

There are more settings related to PHP session, but I think the most important part is already covered. I may try to extend this document as time permits. Suggestions and critiques are, of course, welcome.

I just thought there was a need to concentrate some information about PHP sessions, specially targeted for those who install and run websites.

I hope you have found something interesting here. I'm not sure if what I have just written is really useful. In fact, I'm surprised you have reached this point. Thanks for reading ;-)