Skip to content

Refine cookie-related docs about cookie domain and cookie prefix #195

New issue
New issue
Open
Open
Refine cookie-related docs about cookie domain and cookie prefix#195
@yuliu

Description

@yuliu
yuliu
opened on May 10, 2020

Relevant docs:
https://docs.mybb.com/1.8/development/cookies/
https://docs.mybb.com/1.8/faq/login-problems/

Points to refine:

  • The leading dot in cookie's domain setting shouldn't get emphasized.
  • Cookie prefix may cause login problem in some circumstances.
    Although rare, installing two MyBB with default settings, with same relative path but under different levels of a same domain (a domain and a sub-domain w.r.t. the first one), may cause login credential mismatch (before 1.8.16) or authorization code mismatch (as of 1.8.16). Please refer to this help: https://community.mybb.com/thread-227679-post-1349235.html#pid1349235

References:

  • From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie we know:

    • Domain=<domain-value>: Host to which the cookie will be sent.
      • If omitted, defaults to the host of the current document URL, not including subdomains.
      • Contrary to earlier specifications, leading dots in domain names (.example.com) are ignored.
      • Multiple host/domain values are not allowed, but if a domain is specified, then subdomains are always included.

  • From https://tools.ietf.org/html/rfc6265#section-5.4 we know:

    • 1, Let cookie-list be the set of cookies from the cookie store that meets all of the following requirements:
      • Either: The cookie's host-only-flag is true and the canonicalized request-host is identical to the cookie's domain.
      • Or: The cookie's host-only-flag is false and the canonicalized request-host domain-matches the cookie's domain.
      • ...
    • 2, The user agent SHOULD sort the cookie-list in the following order:
      • Cookies with longer paths are listed before cookies with shorter paths.
      • Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times.

  • A more plain explanation: https://stackoverflow.com/a/4327214/6681141

Further, I think, in future release MyBB's default install script should remove the leading dot on cookie domain auto-detect and alert user about add cookie prefix if installing multiple mybb under sub-domains or just provide a random value for cookie prefix. I know Discuz! does the latter by setting a random cookie prefix.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions