Colliding cookies

cookiesFor the Alberta Greens we're setting up a swath of subdomains to use in organizing voter phonebanking and canvassing. The setup looks like this:
domain.com
sub1.domain.com
sub2.domain.com

However we had some strange problems where after logging in to one site you couldn't log into any of the other sites. A bit of research found that the problem
was that PHP session cookies were colliding. I found a post in the Drupal issue tracker that someone else had already filed for the problem. Different people did research in different area on what was causing the problem and how to fix it.

The problem happens because by default Drupal sets the cookie domains to be:
.domain.com
.sub1. domain.com
.sub2.domain.com
And all session cookies are given the same name. And in theory all should work as expected because PHP should return the most specific cookie for our current session. But it doesn't.

It turns out that web browsers return all the cookies that could possibly apply, not just the most specific one. And PHP gives Drupal the last cookie it gets, which unfortunately is probably not the one we want. So this is a PHP bug. It's also a bug in the original cookie spec as there are conflicting rules about what order cookies should be sent by the browser. And thus different browsers can return the cookies in whatever order they choose. Yikes, this runs deep.

So a bug has been filed with PHP. But meanwhile a patch has been filed to make Drupal work around the issue by giving a unique name (derived from the $base_url) for the session cookie. Hopefully this patch make it into Drupal 5.2.

So this rather complicated (and hard-to follow I'm sure) story shows why Open Source is so great. If it was just me trying to figure this out on my own, I would have gotten as far as "My cookies are colliding and I'm not sure why". And I would have created an ugly workaround that would have been difficult to maintain.

But because there were about 10 people working on it, we all pitched in a bit of effort and created a sollution that actually fixed the problem for the longterm.

Yet another reason why proprietary software isn't a good solution for running a website.