Posted by krisgale as cookies
this is a phenomenon i have long wondered about, myself, the answer to which came to light upon reading further into rfc-2109 after yesterday’s post.
so why can you not serve a ‘plain vanilla’ cookie (only name or name and expires attributes provided) during a redirect and expect it to still be there afterward? security.
to quote […]
when you’re “rolling your own” session management by using header(”Set-Cookie:… and you’re mixing temporary cookies with ones that have an expires= attribute, you may notice erratic behavior unless you set the temporary parameters first.
header(”Set-Cookie: permanent=important; expires=Sun, 17-Jan-2037 23:59:59 GMT”);
may not work as expected, whereas if you switch the two around, you’re good to […]