Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

defaultCookieDomain doesn't seem to be used for Craft PHP session #5029

oddnavy opened this issue Oct 2, 2019 · 4 comments


Copy link

commented Oct 2, 2019


defaultCookieDomain doesn't seem to be used for the Craft PHP session cookie but is used for other Craft cookies even when session.cookie_domain='' in php.ini.

CRAFT_CSRF_TOKEN, username, and identity all use the correct domain for cookies but PHPSESSID does not.

If we manually set the session.cookie_domain in web/index.php and retry it works as intended.

ini_set('session.cookie_domain', '.example.tld');

Steps to reproduce

  1. Serve Craft from a subdomain subdomain.example.tld
  2. Set defaultCookieDomain => '.example.tld' in general.php
  3. Check devtools Resources tab for PHPSESSID cookie domain. It will not be set to the value set in defaultCookieDomain

Additional info

  • Craft version: Craft Pro
  • PHP version: 7.2.23
  • Database driver & version: MySQL 5.7.12

This comment has been minimized.

Copy link

commented Oct 3, 2019

This is pretty weird… I’m able to reproduce, but not sure why. Craft/Yii is correctly setting the session cookie domain based on defaultCookieDomain, as evidenced by the session_get_cookie_params() output right before headers are sent:

session_get_cookie_params() output

Any ideas @angrybrad ?


This comment has been minimized.

Copy link

commented Oct 3, 2019

Not possibly related to this little gem? Which I was going to hold onto before saying anything, received last night from latest release Chrome (not Canary, not tested that yet).

And yes, might be my own header there; because not set secure etc. yet...

87-demo-hans-j%C3%B8rgen:1 A cookie associated with a cross-site resource at was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and

pic of headers


This comment has been minimized.

Copy link

commented Oct 7, 2019

That looks like a warning about a cookie that will be ignored in a future Chrome release; seems unrelated.


This comment has been minimized.

Copy link

commented Oct 10, 2019

@brandonkelly I've also spotted that the value for sameSiteCookieValue isn't used either

@angrybrad angrybrad self-assigned this Oct 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
4 participants
You can’t perform that action at this time.