Giters

mybb / docs.mybb.com

The MyBB documentation.

Home Page:https://docs.mybb.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Refine cookie-related docs about cookie domain and cookie prefix

yuliu opened this issue · comments

commented

Relevant docs:
https://docs.mybb.com/1.8/development/cookies/
https://docs.mybb.com/1.8/faq/login-problems/

Points to refine:

  • The leading dot in cookie's domain setting shouldn't get emphasized.
  • Cookie prefix may cause login problem in some circumstances.
    Although rare, installing two MyBB with default settings, with same relative path but under different levels of a same domain (a domain and a sub-domain w.r.t. the first one), may cause login credential mismatch (before 1.8.16) or authorization code mismatch (as of 1.8.16). Please refer to this help: https://community.mybb.com/thread-227679-post-1349235.html#pid1349235

References:

  • From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie we know:

    • Domain=<domain-value>: Host to which the cookie will be sent.
      • If omitted, defaults to the host of the current document URL, not including subdomains.
      • Contrary to earlier specifications, leading dots in domain names (.example.com) are ignored.
      • Multiple host/domain values are not allowed, but if a domain is specified, then subdomains are always included.

  • From https://tools.ietf.org/html/rfc6265#section-5.4 we know:

    • 1, Let cookie-list be the set of cookies from the cookie store that meets all of the following requirements:
      • Either: The cookie's host-only-flag is true and the canonicalized request-host is identical to the cookie's domain.
      • Or: The cookie's host-only-flag is false and the canonicalized request-host domain-matches the cookie's domain.
      • ...
    • 2, The user agent SHOULD sort the cookie-list in the following order:
      • Cookies with longer paths are listed before cookies with shorter paths.
      • Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times.

  • A more plain explanation: https://stackoverflow.com/a/4327214/6681141

Further, I think, in future release MyBB's default install script should remove the leading dot on cookie domain auto-detect and alert user about add cookie prefix if installing multiple mybb under sub-domains or just provide a random value for cookie prefix. I know Discuz! does the latter by setting a random cookie prefix.