Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refine cookie-related docs about cookie domain and cookie prefix #195

Open
yuliu opened this issue May 10, 2020 · 0 comments
Open

Refine cookie-related docs about cookie domain and cookie prefix #195

yuliu opened this issue May 10, 2020 · 0 comments

Comments

@yuliu
Copy link
Member

yuliu commented May 10, 2020

Relevant docs:
https://docs.mybb.com/1.8/development/cookies/
https://docs.mybb.com/1.8/faq/login-problems/

Points to refine:

  • The leading dot in cookie's domain setting shouldn't get emphasized.
  • Cookie prefix may cause login problem in some circumstances.
    Although rare, installing two MyBB with default settings, with same relative path but under different levels of a same domain (a domain and a sub-domain w.r.t. the first one), may cause login credential mismatch (before 1.8.16) or authorization code mismatch (as of 1.8.16). Please refer to this help: https://community.mybb.com/thread-227679-post-1349235.html#pid1349235

References:

  • From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie we know:

    • Domain=<domain-value>: Host to which the cookie will be sent.
      • If omitted, defaults to the host of the current document URL, not including subdomains.
      • Contrary to earlier specifications, leading dots in domain names (.example.com) are ignored.
      • Multiple host/domain values are not allowed, but if a domain is specified, then subdomains are always included.

  • From https://tools.ietf.org/html/rfc6265#section-5.4 we know:

    • 1, Let cookie-list be the set of cookies from the cookie store that meets all of the following requirements:
      • Either: The cookie's host-only-flag is true and the canonicalized request-host is identical to the cookie's domain.
      • Or: The cookie's host-only-flag is false and the canonicalized request-host domain-matches the cookie's domain.
      • ...
    • 2, The user agent SHOULD sort the cookie-list in the following order:
      • Cookies with longer paths are listed before cookies with shorter paths.
      • Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times.

  • A more plain explanation: https://stackoverflow.com/a/4327214/6681141

Further, I think, in future release MyBB's default install script should remove the leading dot on cookie domain auto-detect and alert user about add cookie prefix if installing multiple mybb under sub-domains or just provide a random value for cookie prefix. I know Discuz! does the latter by setting a random cookie prefix.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yuliu