Browser Sends Two Cookies - PHP's Session Handler Reads Wrong One

For a period of time cookies were set on a single site with different values for the domain. This resulted in some people having cookies with the same name set for both .www.domain.com and .domain.com. The site is intended to be accessed as www.domain.com. This is accomplished with .htaccess rules.

The code will use .domain.com. now for the session.cookie_domain going forward.

The issue I am having is that when both cookies exist the browser sends both (both are valid). I see this is so in the headers and also when dumping out apache_request_headers(), however, when I dump out $_COOKIE I see just one of them.

["Cookie"]=>
  string(74) "foobar=hkej4qdnq5kismiq3kl07qv6k2; foobar=ocvn7anlu2f2k2l37nl9ou3c21"

And then...

array(1) { ["foobar"]=> string(26) "hkej4qdnq5kismiq3kl07qv6k2" } 

My session interface read($id) method is checking the old cookie and not the one we set on login.

What is the best way to address this? I am thinking I could just change the session name/identifier and start fresh. Or maybe evaluate the Apache headers in my read implementation. I have not found much that is relevant in searching the web, just a bunch of fluff from w3schools polluting the results, so I thought this might be a good one to post here.

Answers


I had the same problem and solved it by changing the session name.

PHP allows you to access the variable $_SERVER["HTTP_COOKIE"] and parse it yourself. This allows you to access both values, of the cookie, but you can still not tell apart the correct and the wrong cookie.

Unless those cookies contain really valuable data, I would not care about the old values and just start new.


Just change the session name from PHPSESSID to SITESESSID or something else of your choice. This will make sure that your application ignores the old cookie all together. If the lifetime of your session is 0, then its a SESSION Cookie(Gets deleted when the browser is closed), in such case you can change the session name back to PHPSESSID after a few days or a month of implementation since you will be sure that no one has the old cookie.

BTW: The browser isn't sending two cookies. It's just your old session cookie still alive.


Need Your Help

Adding HTML Content after element

php jquery html css

In a CMS I'm developing, the client wants a checkered bottom border underneath all the h2 elements. However, as they're dynamically set via a WYSIWYG editor, there's no way to create static place

What is a good way to design a media player on Windows phone?

c# silverlight windows-phone-7 xna

Some friends and I are creating a Google music type of project in order to learn a few Microsoft technologies.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.