Different Session Cookie for Different Paths

Question

I need to store separate cookies for individual directories on my site. I have read several articles on how this can be accomplished, but I have not been able to get any of the solutions to work for me. I am executing one of these lines on each page (COOKIE_PATH = '/city_dir/'):

session_set_cookie_params($lifetimeSeconds, COOKIE_PATH);

or

session_save_path(COOKIE_PATH);

Followed by:

if (isset($_COOKIE['PHPSESSID'])){ 
    $data = $_COOKIE['PHPSESSID']; 
    $timeout = time() + $lifetimeSeconds; 
    session_start();
    setcookie('PHPSESSID', $data,  $timeout); 
}
else {
    session_start();
}
session_regenerate_id(true);

The first line (session_set_cookie_params) sounded like the correct solution, but when I use that line, no cookies show up at all in the Chrome web developer tool listing, and I am unable to log in to the site.

The second line doesn't sound like the correct solution (seems I should be dealing with the cookie path, not the save path), but it comes closer. The first time a page loads, I see a cookie for path "/". If I refresh the page, that cookie remains, and a cookie is listed for the path COOKIE_PATH. Unfortunately, I am still unable to log in. I searched and tried many variations all weekend, but could not get anything to work. What am I missing? I am using PHP Version 5.3.18.

Answer 1

I need to store separate cookies for individual directories on my site

Are you really REALLY sure this is the only way to solve the problem? You should only even attempt this if someone is holding your family hostage.

If the lives of your loved ones is under threat, then use a different session name for the different sessions. You could still associate the resulting cookies with different paths - but this is coincidental.

You are confusing the cookie path and the session handler path in your question.

Your code as it stands binds an existing session (you don't know where it came from - in most cases, it is the the path the browser is already on) and rebind the existing session. It is just possible that this is actually what you intend - but is still extremely dangerous. Assuming that you understand and manage the risk of fixation, then using differnt session names is still a better solution.

Perhaps if you told us why you need to this, we might be able to come up with more sensible advice on how to solve the problem.

Answer 2

session_save_path() is used to define where to store cookies on the server, and I'm not sure this is what you need.

The documentation of setcookie() lists another path param which may be useful if your "path" is really the portion of the URL after the port used to access the script.

I would not play with PHPSESSID because it's used to track users sessions, and it's quite unusual to have different sessions on the same host.

Answer 3

You seem to be making this more difficult than it has to be. A site can set MANY cookies in a client's browser, but they don't follow directory structures.

What you want to do is something like:

setcookie('Akron',$data_about_akron,time() + (86400 * 7)); // 86400 = 1 day
setcookie('Boston',$data_about_boston,time() + (86400 * 7)); // 86400 = 1 day

and then retrieve it with:

$data_about_akron = $_COOKIE['Akron'];

Answer 4

Adding a session name has given me the functionality I was looking for (lightly tested):

session_name($cookieName);
session_set_cookie_params($lifetimeSeconds, $cookiePath);

With this code, there is no PHPSESSID cookie, just the named cookie.

The issue has also been raised whether this is the appropriate approach, and that issue is still open. After reading up on session fixation, it sounds like that risk was with the code I had included after the cookie setting. That code was actually meant to address a different issue, I only included it because I thought it may have an impact on the cookie/session issue presented in the original question.

@Frits van Campen: One requirement that makes me believe that I need a separate session for each city is that my client now wants to track when each user logs in and out of each city. In addition, the same user could have different permissions for different cities.

So, if this is a bad approach, why is it bad (security, maintainability, etc)? What are other options (I can only come up with moving to subdomains).