I’v got this setup currently running, where a website is running at site.domain.tld with the backend beeing at admin.site.domain.tld

A somewhat SSOish system is to be installed at sso.admin.site.domain.tld. In fact, when visiting this site, the user is authenticated, a corresponding cookie is beeing set and the user is moved back to admin.site.domain.tld.

When I am setting a cookie like this

setcookie('bid', $bid, 0, '/', 'admin.site.domain.tld');

I’ll get a cookie cookie that is issued for .admin.site.domain.tld (note the dot).

The login like this works fine, but if the user is going for whatever reason first to admin.site.domain.tld and then decides to log in using sso[…], we have a problem: The adminpage sets itself a cookie – but this time it is issued for admin.site.domain.tld – without the dot at the beginning.

So basically after using the sso-login this time, the user ends up with having two different cookies, one for admin.site.domain.tld, one for .admin.site.domain.tld

Because the admin-page prefers the cookies set directly for the page itself, the dot-cookie gets ignored and the login fails.

So basically the best way would be to read, modify or just delete the already existing cookiebut this seems to be impossible from the sso-subdomain.

“Because of reasons”, we are not able to place our stuff from the sso-subdomain directly on the admin-subdomain.

Anyone here with an idea, what I could do the somehow get rid of those “bad” admin.-cookies?