PHP setcookie() for domain but NOT subdomains PHP setcookie() for domain but NOT subdomains php php

PHP setcookie() for domain but NOT subdomains


Apparently, having a cookie on "domain.com" that will match "*.domain.com" is expected behaviour.

For instance : PERSISTENT CLIENT STATE HTTP COOKIES state (some emphasis mine) :

domain=DOMAIN_NAME

When searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. ...
"Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com".

Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

So, you'll either have to :

  • use "www.domain.com" for your site
  • or use a totally different domain name for your static content (like ".anotherdomain.com")
    • for instance, this is what is done on stackoverflow : static content is served from sstatic.net


this is the reason why quite a few sites (including this one) register a dedicated domain for use as a CDN.


It is not possible as the cookie domain is tail matched against the domain name. You will have to go with www.