PHP session.cookie_domain | Serving Static Content from a Cookieless Domain

In the php.ini file in Linux, what values do I use in the session.cookie_domain parameter to make the USer's browser send cookies only on responses to https://t1shopper.com and https://www.t1shopper.com/

I don't want cookies sent to domains like https://static.t1shopper.com/

Thanks!

https://php.net/manual/en/session.configuration.php#ini.session.cookie-domain
Geoff MillikanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
Leave 'session.cookie_domain' blank, filling it in will only cause problems.  Cookies are sent / returned Only to the domains that set them.  Since only scripts like PHP and javascript can set cookies, static content like images and CSS files can Not set cookies.  

However, if you set the cookies to be on any domain under 't1shopper.com', the cookies will be sent with every request for a page in that domain.  That is not your choice.  That is the way browsers work.

I don't know why you are concerned with the cookies that are sent.  If there is no script to receive them, they are simply ignored.
F PCommented:
Use this...

".t1shopper.com"

Having the . in front of the domain makes the cookie work for all sub-domains. It's all or one.
F PCommented:
I guess you could call setcookie 2 times, one for each. Also on each setcookie, modifying from what I'm posting below, you could specify the domain itself. Other than that, I would use htaccess and/or mod_rewrite in your httpd.conf file (if you're using apache) to make the site default only to www. or without the www., making it consistent.

(e.g., on htaccess:

RewriteEngine on

RewriteCond %{HTTP_HOST} !^www [NC]
RewriteCond %{HTTP_HOST} ^t1shopper\.com$ [NC]
RewriteRule ^(.*)$ http://www\.t1shopper\.com//$1 [R=301,L]

)

http://php.net/manual/en/function.setcookie.php

Example #3 setcookie() and arrays

You may also set array cookies by using array notation in the cookie name. This has the effect of setting as many cookies as you have array elements, but when the cookie is received by your script, the values are all placed in an array with the cookie's name:

<?php
// set the cookies
setcookie("cookie[three]", "cookiethree");
setcookie("cookie[two]", "cookietwo");
setcookie("cookie[one]", "cookieone");

// after the page reloads, print them out
if (isset($_COOKIE['cookie'])) {
    foreach ($_COOKIE['cookie'] as $name => $value) {
        $name = htmlspecialchars($name);
        $value = htmlspecialchars($value);
        echo "$name : $value <br />\n";
    }
}
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Geoff MillikanAuthor Commented:
Dave Baldwin:  That's not the case.  Visit the following page the first time and you'll see in the headers the page sets the cookie.  then refresh the page and you'll see the session cookie is sent to the host on every single request, even on images and CSS files:  https://www.t1shopper.com/contactus/   I don't want the browser to send cookies to  https://static.t1shopper.com/ because it wastes bandwidth slowing down the user experience especially mobile.

Frank Pennock - I only want cookies sent by the browser on the two domains listed in the OP.   I already re-write to redirect all traffic to www.*

Would putting two lines in the php.ini file work like this?
session.cookie_domain = "www.t1shopper.com"
session.cookie_domain = "t1shopper.com"

Open in new window


Thanks!
F PCommented:
Correct, so the option at the bottom of my last post would've done that.

http://php.net/manual/en/function.setcookie.php

Example #3 setcookie() and arrays

You may also set array cookies by using array notation in the cookie name. This has the effect of setting as many cookies as you have array elements, but when the cookie is received by your script, the values are all placed in an array with the cookie's name:

<?php

// set the cookies and expire in 30 days
setcookie("cookie[one]", "cookieValueOne", time()+60*60*24*30, 't1shopper.com');
setcookie("cookie[two]", "cookieValueTwo", time()+60*60*24*30, 'www.t1shopper.com');

// after the page reloads, print them out
if (isset($_COOKIE['cookie'])) {
    foreach ($_COOKIE['cookie'] as $name => $value) {
        $name = htmlspecialchars($name);
        $value = htmlspecialchars($value);
        echo "$name : $value <br />\n";
    }
}

/**
 * gives you--
one : cookieValueOne
two : cookieValueTwo
 *
 * -- and you can use the same value across each.
 */
Dave BaldwinFixer of ProblemsCommented:
I don't want the browser to send cookies to  https://static.t1shopper.com/ because it wastes bandwidth slowing down the user experience especially mobile.
As I said above... It is Not your choice.  In addition on that page, you have 86 characters worth of cookie data.  I don't think that is slowing down anything.
Cookie: PHPSESSID=-ayKsuZ4ip6Y2KOzdhDRE4pvp70; _ga=GA1.2.1051267783.1429765000; _gat=1

Open in new window


And even more interesting is that you do not have Any requests going to https://static.t1shopper.com/ on that page.  The headers that are sent and received by that page are in the attached file.
t1shopper-headers.txt
Dave BaldwinFixer of ProblemsCommented:
If you really want to speed up that page, find a way to reduce those 20 or so GIFs into as few images as you can.  Each one is a separate request right now.  Many are smaller than any request or response header even without a cookie.

If you have Firefox and Firebug, look at the page load times in the Net tab in Firebug.
F PCommented:
If you're looking to increase speed, use PageSpeed Insight from Google.

https://developers.google.com/speed/pagespeed/insights/

Compress all images using Adobe Photoshop's "Save For Web" option.

http://help.adobe.com/en_US/creativesuite/cs/using/WS6E857477-27FE-4a88-B8A4-074DC3C65F68.html

Minify.

https://code.google.com/p/minify/

And use Sprites like what Dave mentioned.

http://www.w3schools.com/css/css_image_sprites.asp
Geoff MillikanAuthor Commented:
Thanks, and the Pingdom test has good optimization hints too.  All that stuff is great but it takes a lot of time.  This cookie fix I was hoping would be a simple config file change in php.ini but it seems like that's not an option?
Dave BaldwinFixer of ProblemsCommented:
What cookie fix?  You are not using the static domain so it does not apply.  The last question we had about trying to use 'session.cookie_domain' turned out to disable PHP when they tried to put something in there.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Geoff MillikanAuthor Commented:
Ack!  You're totally right!  I forgot on SSL we dropped the static domains because the SSL overhead to connect to multiple domains counteracted the threading benefit.  Ack!  My bad!  You can see on the homepage we use static domains to serve static content like http://c.static.t1shopper.com/i/whitecorner.gif 

Yes, we tried to do sprites on all those dumb GIF's but it was a total pain...  We'll fix it when we redesiign the whoel site for mobile.  <sigh>

Thanks so much everyone.
Dave BaldwinFixer of ProblemsCommented:
You're welcome.  Glad you got it figured out.
F PCommented:
Checkout the PageSpeed module for webservers that automagically does all that optimization for you:

https://developers.google.com/speed/pagespeed/module

Happy it's resolved!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.