> On Jan 27, 2022, at 1:20 PM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > > On 27/01/2022 21:06, paulf@xxxxxxxxxxxxxxxxx wrote: >> On Thu, 27 Jan 2022 11:40:52 -0500 >> Aziz Saleh <azizsaleh@xxxxxxxxx> wrote: >> >>> You can run an example test via browser to see it in action: >>> ----------------------------- >>> >>> $name = isset($_GET['name']) ? $_GET['name'] : 'PHPSESSID'; >>> echo 'Name: ' . $name . '<br/>'; >>> session_name($name); >>> session_start(); >>> >>> echo 'Cookie/Session name: '; >>> echo session_name(); >>> echo '<br />'; >>> >>> echo "Value: " . session_id(); >>> >>> -------------------------- >>> >>> Change ?name=SESSION_Name >>> >> I've been studying the cookies on the server and in Firefox's local >> cache of cookies, and reading up on the cookie "process". >> >> Follow up question: When your browser requests a page from the server, >> does it send *all* the unexpired cookies where that server is the host, >> regardless of the actual page being requested? >> >> Paul >> > The short answer is yes. > > The long answer, it depends on the individual cookie settings. If a cookie is set for a different subdomain (but the same main domain) it will not be sent. Typically to avoid this a cookie might be linked to example.com (or .example.com for compatibility with much older browsers) rather than foo.example.com > > Cookies can be set to secure mode, which means they only get sent on HTTPS requests, and not for HTTP requests. > > Also, the path of the cookie can have an affect on whether it's sent with a request or not. The path portion must be in the path being requested, which is why cookies almost always are seen having their path set to just / > > Finally, cookies now have a SameSite option, which is intended to prevent them being sent as part of a CSRF request. > > -- > Ashley Sheridan > https://www.ashleysheridan.co.uk There is a bit more about cookie paths that I would like to include. a cookie set by /first dir/second dir/htmlpage with the path set /first dir/second dir/htmlpage cannot be seen by /first dir/htmlPage. It can be an extra level of security/privacy. That has been my experience. It may have some caveates that I am not taking into account. I have been working with javascript and the SameSite Strict and Lax, and the secure attributes. My local dev server does not do HTTPS. Javascript can set cookies and read, and delete cookies that can be seen by the html page with the js code. JK
