new-rewrite, cookies and sub-domains

Discussion in 'aMember Pro v.4' started by hank, Oct 7, 2011.

  1. hank

    hank New Member

    Joined:
    Oct 6, 2011
    Messages:
    8
    New to aMember v4 and just getting started.

    Want to set up multiple domains.

    http://manual.amember.com/FAQ#One_site_-_Multiple_domains
    Not sure how much to rely on existing documentation.

    aMember is at secure.mysite.com
    Content at videos.mysite.com, blogs.mysite.com etc

    Brief experiments with new-rewrite are not happy for me, but I'm not sure that what I am attempting is designed/legal.

    Looks like logic depends on cookie domain taken from $_SERVER.
    But I want to specify cookie domain as "mysite.com"
    So it will work across sub-domains.

    Am I barking up a wrong tree?
  2. skippybosco

    skippybosco CGI-Central Partner Staff Member

    Joined:
    Aug 22, 2006
    Messages:
    2,526
    aMember should be on your primary domain (mysite.com) and not on a subdomain.

    primary domain can set cookies for subdomains, but subdomains cannot set cookies for primary domains or peer subdomains.
  3. alexander

    alexander Administrator Staff Member

    Joined:
    Jan 8, 2003
    Messages:
    6,274
    By default, amember4 set cookie for .mysite.com (which will work for all subdomains as well) so there should not be any issues with protection.
  4. skippybosco

    skippybosco CGI-Central Partner Staff Member

    Joined:
    Aug 22, 2006
    Messages:
    2,526
    alexander, this is true if they install amember on the primary domain (ie. mysite.com) but not if they install it on a subdomain (amember.mysite.com) as a subdomain can not set a cookie for the primary domain (ie. .mysite.com) only for the subdomain.
  5. alex

    alex Administrator Staff Member

    Joined:
    Jan 24, 2004
    Messages:
    6,020
    Frank, really?
    It really depends on browser, but works anywhere where I tried (not tried on IE yet).
  6. skippybosco

    skippybosco CGI-Central Partner Staff Member

    Joined:
    Aug 22, 2006
    Messages:
    2,526
    So in your test you set a cookie from sub1.mydomain.com and it was valid for both mydomain.com AND sub2.mydomain.com?

    It has been a while (July last year?) since I last looked at this, but at the time it violated the RFC which essentially is in place to prevent cross domain scripting exploits.
  7. alexander

    alexander Administrator Staff Member

    Joined:
    Jan 8, 2003
    Messages:
    6,274
    Cookie should have host set as .domain.com (with point) then yes it will work for all sub domains even if you set it from sub domain.
    For example the most common situation when you run server at www.domain.com(which is subdomain of domain.com) you can set cookie that will be available for support.domain.com
  8. alex

    alex Administrator Staff Member

    Joined:
    Jan 24, 2004
    Messages:
    6,020
    Definitely. You have to set cookie domain to ".domain.com" to accomplish this.

Share This Page