Home » Php » PHP: Cookie domain / subdomain control

PHP: Cookie domain / subdomain control

Posted by: admin April 23, 2020 Leave a comment


I’m working on a site with multiple subdomains, some of which should get their own session.

I think I’ve got it worked out, but have noticed something about cookie handling that I don’t understand. I don’t see anything in the docs that explains it, so thought I would see if anyone here has some light to shed on the question.

If I just do:


I end up with a session cookie like this:


However, if I make any attempt to set the cookie domain myself, either like

ini_set('session.cookie_domain', 'subdomain.example.net');

or like

session_set_cookie_params( 0, "/", "subdomain.example.net", false, false);

I end up with a cookie for .subdomain.example.net (note the opening dot), which I believe means “match all subdomains (or in this case sub-subdomains).

This seems to happen with all my cookies actually, not just session. If I set the cookie domain myself, it automatically has the dot prepended, meaning this domain and all subs of it. If I don’t set the domain, then it gets it right by using only the current domain.

Any idea what causes this, and what I can do to control that prepending dot?


How to&Answers:

PHP’s cookie functions automatically prefix the $domain with a dot. If you don’t want this behavior you could use the header function. For example:

header("Set-Cookie: cookiename=cookievalue; expires=Tue, 06-Jan-2009 23:39:49 GMT; path=/; domain=subdomain.example.net");


If you run your PHP script under “http://subdomain.example.net“, don’t use the domain parameter:


You will get a cookie with “subdomain.example.net” (and not “.subdomain.example.net”)


If you read all of RFC 6265, you’ll realize that the only proper way to have a “host-only” cookie is to NOT set the domain attribute.



I realise this is an old question but I was having this problem and none of the answers above quite did it.

I wanted to set the session cookie for a subdomain, but also enable httponly and secure.

To avoid a leading . infront of the subdomain, Kevin and stolsvik are correct don’t set the domain attribute.

So to do this and still be able to set httponly and secure mode, set the domain to NULL as follows:

session_set_cookie_params(0, '/', NULL, TRUE, TRUE);

You will now have a session cookie, for a specific subdomain (without a leading .) with httponly and secure set to true.


This may help someone (i spent some hours to figure this out). After make the changes in the source files and before you test it, close your browser to properly destroy PHPSESSIONID in all domains and subdomains.

Hope this save some time!


I was having a problem to set cookies on wordpress and this helped me, the domain value was the key to get it working in all the pages

$domain = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false;

setcookie("cookie_name", 'cookie_value', 0, '/', $domain);