Session Cookie Domain Madness on my Behalf

OK, you have two sites, one of them under SSL and you want to preserve the users sessions between them - so that for example they can shop on your wonderful e-comm site and then check out/login/whatever safely under SSL. So you develop the site locally on the following domains:

http://www.example-dev/
https://secure.example-dev/

Great! Or so you would have thought anyway… Time to set up PHP’s session.cookie_domain using one of the two possibilities; either in the php.ini file or using ini_set. So I did this:

ini_set('session.cookie_domain', '.example-dev');

Fool! I had clean forgotten to think about the good old RFC 2965 HTTP State Management Mechanism memo, which quite specifically states (and I quote):

The term effective host name is related to host name. If a host name contains no
dots, the effective host name is that name with the string .local appended to it.
Otherwise the effective host name is the same as the host name. Note that all
effective host names contain at least one dot.

Yep, at least one dot. Back to the drawing board there boy!

http://www.example-dev.com/
https://secure.example-dev.com/

and…

ini_set('session.cookie_domain', '.example-dev.com');

Sweet, only one session per session, not one session per page refresh!