Refine cookie-related docs about cookie domain and cookie prefix
yuliu opened this issue · comments
Relevant docs:
https://docs.mybb.com/1.8/development/cookies/
https://docs.mybb.com/1.8/faq/login-problems/
Points to refine:
- The leading dot in cookie's domain setting shouldn't get emphasized.
- Cookie prefix may cause login problem in some circumstances.
Although rare, installing two MyBB with default settings, with same relative path but under different levels of a same domain (a domain and a sub-domain w.r.t. the first one), may cause login credential mismatch (before 1.8.16) or authorization code mismatch (as of 1.8.16). Please refer to this help: https://community.mybb.com/thread-227679-post-1349235.html#pid1349235
References:
-
From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie we know:
Domain=<domain-value>
: Host to which the cookie will be sent.- If omitted, defaults to the host of the current document URL, not including subdomains.
- Contrary to earlier specifications, leading dots in domain names (.example.com) are ignored.
- Multiple host/domain values are not allowed, but if a domain is specified, then subdomains are always included.
-
From https://tools.ietf.org/html/rfc6265#section-5.4 we know:
- 1, Let cookie-list be the set of cookies from the cookie store that meets all of the following requirements:
- Either: The cookie's host-only-flag is true and the canonicalized request-host is identical to the cookie's domain.
- Or: The cookie's host-only-flag is false and the canonicalized request-host domain-matches the cookie's domain.
- ...
- 2, The user agent SHOULD sort the cookie-list in the following order:
- Cookies with longer paths are listed before cookies with shorter paths.
- Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times.
- 1, Let cookie-list be the set of cookies from the cookie store that meets all of the following requirements:
-
A more plain explanation: https://stackoverflow.com/a/4327214/6681141
Further, I think, in future release MyBB's default install script should remove the leading dot on cookie domain auto-detect and alert user about add cookie prefix if installing multiple mybb under sub-domains or just provide a random value for cookie prefix. I know Discuz! does the latter by setting a random cookie prefix.