2

I have been reading as much as possible about the php.ini file and i have found nothing about whether or not its bad/dangerous to not set the session.cookie_domain in the php.ini.

We are in a production environment and this is not set.

Are there security issues with not setting this. Cookies appear to be working well, no real issues.

The php.ini file looks like this:

session.cookie_domain =
user2506624
  • 35
  • 1
  • 1
  • 6

1 Answers1

0

This configuration directive allow you to restrict subdomains, from which your session cookie will be valid. Since it is empty, you're accepting session cookies from all domains - so, it's normal behavior that all is working well from any subdomain.

Allow php sessions to carry over to subdomains could also be useful.

Tim Abell
  • 10,156
  • 8
  • 75
  • 104
Alma Do
  • 36,374
  • 9
  • 70
  • 101
  • 'Since it is empty, you're accepting session cookies from all domains'. So is this dangerous? Are there any negatives to this? Can a hacker do anything by not setting this? Is there someplace that has this information. I have looked through google, but have not really found anything. Thanks – user2506624 Aug 15 '13 at 14:26
  • It's up to you to decide. May be you want to have separate parts of your cross-domain application and session are used only in one part (i.e. one subdomain). – Alma Do Aug 15 '13 at 14:28
  • 6
    This seems to conflict with the documentation which says leaving it blank makes it take the domain of the host that is generating the cookie. http://php.net/manual/en/session.configuration.php#ini.session.cookie-domain – The Unknown Dev Jan 23 '17 at 15:44