Control Panel Location: Admin ‣ Security and Privacy ‣ Cookie Settings
This section of the Control Panel allows you to define cookie settings for your website.
Optionally specify a domain the cookie is available to. By default, the
exact hostname of the requested page is set as the cookie domain. For
example, if the page at
is loaded and the cookie domain is left blank in ExpressionEngine’s
configuration, the browser will use
www.example.com as the cookie
domain. The browser will only make these cookies available when the
page’s hostname is exactly
If the cookie domain is explicitly specified, however, the browser will
make the cookie available whenever the requested page’s hostname
contains the cookie domain. For example, setting the cookie domain to
.example.com will ensure the cookie is shared whenever the requested
page’s hostname includes
blog.example.com, and so on.
If you’re running multiple subdomains on a single ExpressionEngine installation and want member sessions to be valid across all subdomains, you should explicitly set the cookie domain.
There’s an important difference between
.example.com. When the cookie domain begins with a dot, browsers
match any hostname that includes the cookie domain. Without the
dot prefix, browsers are looking for an exact hostname match in the
URL, which means cookies will not be available to subdomains. A
cookie set by PHP with an explicitly specified cookie domain will
always include the dot prefix, whether or not one is included in
this ExpressionEngine setting. For clarity’s sake, the examples here
include a leading dot when the cookie domain is being explicitly
Browsers will not save cookies if the specified cookie domain
isn’t included in the request’s hostname. In other words, a site can
only set cookies for
.example.com if its hostname actually
Optionally specify a cookie path. When a cookie path is set, the browser
will only share cookies with ExpressionEngine when the beginning of the
URL path matches the cookie path. For example, if the cookie path is set
/blog/, a cookie for the domain
example.com will only be sent
by the browser if the URL begins with
can be useful if you have ExpressionEngine installed in a sub-directory
and want to ensure that only that particular installation has access to
the cookies it sets.
Specify a prefix for the cookie name set by ExpressionEngine. This protects against collisions from separate ExpressionEngine installations on the same cookie domain.