24 August 2011

setting the session.cookie_path in PHP (redirection loop)

This is a quick note about a bug in some PHP code I was working on the other day. It took me a while to figure it out. I was developing and initially testing in google chrome, which is evidently forgiving of this kind of error. Maybe writing this will help someone (and maybe it'll help me not to make the same mistake again).

This was for an application which requires authentication. The controller sends the browser a redirect (to the login URL) if the user is not authenticated. I had set the cookie path with something like the following:

$baseUrl = 'https://www.example.com/gakkk/';

// several lines later...
ini_set('session.cookie_path', $baseUrl);

This worked OK in chrome, but Firefox and MSIE both got locked up in redirection loops. After scratching my head for a while, I finally figured out that I should be doing this:

ini_set('session.cookie_path', '/gakkk/');

The cookie_path (it has that name for a reason) should exclude the protocol, hostname, and port. Information security auditors like to complain about web applications that don't set the cookie path.

No comments: