February 2014

PHP and session.cookie_path - Heisenbug.

Submitted by michael on Tue, 02/18/2014 - 15:32
TIL: PHP's session.cookie_path defaults to '/', which is good. But if session.cookie_path is the empty string (''), then the cookie path is set relative to the current URL. If the request is to example.com/foo/bar/bax.php and the cookie path is '', then the cookie is set for example.com/foo/bar - not example.com/ as one might expect. But then the browser goes and saves it forever. And you can the same cookie id on multiple paths and then the expire and maybe some get reset during a logout/login cycle.