You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default, PHP is configured so that sessions are unique to a domain. For example, if a session is started on www.example.com, the session would not be valid for sso.example.com, and vice versa. If you have two or more domains, and you want a session created on one domain to be valid for another domain, in your php.ini file, set the session.cookie_domain directive to exclude the domain prefix (www, sso, et cetera).
If
session.cookie_domain =is empty it triggers a fail and the description is:AFAIK if none is provided it will use the current hostname (https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-domain).
Bit is seems that
cookie_domainis used when you have multiple sub-domains so that the cookie can be shared amogn several sub-domains http://www.freekb.net/Article?id=806#Multiple%20domainsSo enabling it this behavior make the application less secure as it increase the attack surface and increase the risk of session stealing because of possible sub-domaine takeovers https://programmierfrage.com/items/how-can-php-session-cookie-domain-be-secure
IMO the check should be the exact opposite
The text was updated successfully, but these errors were encountered: