Controlling Cookie Domains and Subdomains in PHP

When creating a multi-subdomain site, it becomes necessary to control the domains for session cookies to ensure proper session management for each subdomain. However, there seems to be a discrepancy in PHP's cookie handling when setting the domain manually.

By default, session_start() assigns a session cookie with the current subdomain. However, attempting to set the cookie domain using ini_set() or session_set_cookie_params() results in a cookie with a domain starting with a dot (.subdomain.example.net). This behavior automatically associates the cookie with all subdomains.

The issue arises because PHP's cookie functions automatically prefix the provided domain with a dot. To avoid this, the header() function can be used instead. This allows for explicit control over the cookie domain. For example:

header("Set-Cookie: cookiename=cookievalue; expires=Tue, 06-Jan-2009 23:39:49 GMT; path=/; domain=subdomain.example.net");

By using header(), we can set the cookie domain without the automatic prefixing, thus restricting the cookie to the specified subdomain. This method provides precise control over cookie domains and subdomains in multi-subdomain PHP applications.