rspec/rules/S3331/php/rule.adoc

A cookie's domain specifies which websites should be able to read it. Left blank, browsers are supposed to only send the cookie to sites that exactly match the sending domain. For example, if a cookie was set by _lovely.dream.com_, it should only be readable by that domain, and not by _nightmare.com_ or even _strange.dream.com_. If you want to allow sub-domain access for a cookie, you can specify it by adding a dot in front of the cookie's domain, like so: _.dream.com_. But cookie domains should always use at least two levels.


Cookie domains can be set either programmatically or via configuration. This rule raises an issue when any cookie domain is set with a single level, as in _.com_.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Noncompliant Code Example

----
setcookie("TestCookie", $value, time()+3600, "/~path/", ".com", 1); // Noncompliant
session_set_cookie_params(3600, "/~path/", ".com"); // Noncompliant

// inside php.ini
session.cookie_domain=".com"; // Noncompliant
----

== Compliant Solution

----
setcookie("TestCookie", $value, time()+3600, "/~path/", ".myDomain.com", 1);
session_set_cookie_params(3600, "/~path/", ".myDomain.com");

// inside php.ini
session.cookie_domain=".myDomain.com";
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			A cookie's domain specifies which websites should be able to read it. Left blank, browsers are supposed to only send the cookie to sites that exactly match the sending domain. For example, if a cookie was set by _lovely.dream.com_, it should only be readable by that domain, and not by _nightmare.com_ or even _strange.dream.com_. If you want to allow sub-domain access for a cookie, you can specify it by adding a dot in front of the cookie's domain, like so: _.dream.com_. But cookie domains should always use at least two levels.

Force linebreaks 2021-02-02 15:02:10 +01:00
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`Cookie domains can be set either programmatically or via configuration. This rule raises an issue when any cookie domain is set with a single level, as in _.com_.`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Noncompliant Code Example`

			`----`
			`setcookie("TestCookie", $value, time()+3600, "/~path/", ".com", 1); // Noncompliant`
			`session_set_cookie_params(3600, "/~path/", ".com"); // Noncompliant`

			`// inside php.ini`
			`session.cookie_domain=".com"; // Noncompliant`
			`----`

			`== Compliant Solution`

			`----`
			`setcookie("TestCookie", $value, time()+3600, "/~path/", ".myDomain.com", 1);`
			`session_set_cookie_params(3600, "/~path/", ".myDomain.com");`

			`// inside php.ini`
			`session.cookie_domain=".myDomain.com";`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`