JD_Toims - 12:07 am on Dec 10, 2013 (gmt 0)
Well, I'm totally confused by what you're doing, iseven.
In your first example, you're using ini_set() to set the session.cookie_domain, but you're not using a session; you're just setting a cookie, so it has no effect.
Then in your first example you're setting the location as the city only, but in your next example you're using HTTP_HOST as the value with base64_decode($_COOKIE['city']) as the location for the city subdomain redirect.
Neither example has a protocol set, because HTTP_HOST doesn't contain a protocol, so when the browser receives the location header it's likely to stay at the same level on the same domain and request http://www.example.com/the-city.example.com or http://www.example.com/the-city depending on which is in the cookie.
Also, you're not checking any values to ensure they're "clean and untampered with", even though the cookie is stored on the end user's machine and sent back to your server -- It's not only "bad form", it's a security hole.
Then in the second example you have two different functions between the main domain and the subdomains, but on the subdomains in the second example you're setting a whole string of cookies even though they're all the same value -- If they're all the same and the example.com cookie is available to the subdomains then you don't need subdomain specific cookies, because the user won't be able to visit those subdomains anyway since you're redirecting to the city subdomain in the cookie when they land on the main or subdomain and have a cookie set.
I'm not sure how user friendly it's going to be to make it so no one can ever visit the main domain or a different city subdomain on the site until they either empty their cookies or the one you're setting expires, which is what it looks like you're doing, but that said:
Could you please explain what you're trying to do and which code you're actually using, because the two examples you've given "don't play well together" at all right now.