session.cookie_domain
noraj opened this issue · 0 comments
If session.cookie_domain =
is empty it triggers a fail and the description is:
It is recommended that you set the default domain for cookies.
AFAIK if none is provided it will use the current hostname (https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-domain).
Bit is seems that cookie_domain
is used when you have multiple sub-domains so that the cookie can be shared amogn several sub-domains http://www.freekb.net/Article?id=806#Multiple%20domains
Multiple domains
By default, PHP is configured so that sessions are unique to a domain. For example, if a session is started on www.example.com, the session would not be valid for sso.example.com, and vice versa. If you have two or more domains, and you want a session created on one domain to be valid for another domain, in your php.ini file, set the session.cookie_domain directive to exclude the domain prefix (www, sso, et cetera).
session.cookie_domain = ".freekb.net"
So enabling it this behavior make the application less secure as it increase the attack surface and increase the risk of session stealing because of possible sub-domaine takeovers https://programmierfrage.com/items/how-can-php-session-cookie-domain-be-secure
IMO the check should be the exact opposite