The next request from the browser will have both cookies in the $_SERVER['HTTP_COOKIE'] variable, but only one of them will be found in the $_COOKIE variable.
Requests to subdom.will have both cookies, while browser request to or sends the cookie with the "value1hostonly" value.
The server my php code is running on has sessions disabled so I am forced to store a fair bit of arbitrary data in cookies.
Thus allowing the stealer to login to your site as another user that might not have access otherwise. You can't be sure that the visitor will use the same IP the next visit.
It has been suggested that this setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers), but that claim is often disputed. Note that the value portion of the cookie will automatically be urlencoded when you send the cookie, and when it is received, it is automatically decoded and assigned to a variable by the same name as the cookie name.
If you don't want this, you can use You may also set array cookies by using array notation in the cookie name.
On high traffic sites, this can substantially increase the size of subsequent HTTP requests from clients (including requests for static content on the same domain).
More importantly though, the cookie specification says that browsers need only accept 20 cookies per domain.If you're having problem with IE not accepting session cookies this could help: It seems the IE (6, 7, 8 and 9) do not accept the part 'Expire=0' when setting a session cookie. The default behavior when the 'Expire' is not set is to set the cookie as a session one.(Firefox doesn't complains, btw.) Note when setting "array cookies" that a separate cookie is set for each element of the array.I do not serialize any class instances, just arrays and simple objects.In a nutshell, when setting a cookie value, I serialize it, gzcompress it, base64 encode it, break it into pieces and store it as a set of cookies.There is no warranty that such will happen as instructed.