tags:

views:

32

answers:

2
+1  Q: 

$cookie_domain value causes access denied upon login

I have FCK editor installed, and trying to enable FCK file manager.

It tells me that in order to use it, $cookie_domain must be set.

Easy enough, I set it to www.mysite.com. I can log in, register, etc just fine. However I started seeing a number of people get Access Denied after logging in or trying to access any protected area.

Commenting out $cookie_domain, users can get in fine.

I am looking for one of the following:

A. A harmonious answer where FCK file manager and $cookie_domain can be set

-or-

B. An alternative to FCK editor (like CK) that allows in-place file uploading without requiring cookie domain to be set (and interrupting user experience).

+1  A: 

Try setting $cookie_domain to simply mysite.com instead of www.mysite.com. This will avoid problems if users are accessing your site via just http://mysite.com or http://some-subdomain.mysite.com.

Try as an experiment to use the FCK filemanager when logged in at http://mysite.com (no leading www) -- does it fail or work under the current settings?

See under Domain and Path on http://www.quirksmode.org/js/cookies.html

Sid NoParrots  2010-10-12 19:36:20
I have added the .htaccess part that sends them to www. if not specified. We need to enforce www. Also, I can't just fool with the setting as it is a big ecommerce site and don't want to block anyone from logging in.
Kevin  2010-10-12 19:45:04
This setting is going to relax the restrictions so I don't think its going to have any blocking effect. Also are you sure that the FCK file manager is the root cause of access denied errors?
Sid NoParrots  2010-10-12 19:48:37
Also, we were getting the same result with just mydomain.com set on a test site before launching. Domain Access is also being utilized. FCK File Manager requires cookie_domain to be set, and in setting it, caused the Access Denied for people. Until you set the cookie_domain, the file manager cannot be used.
Kevin  2010-10-12 19:49:49
@Kevin: Did you try with leading dot `.mysite.com`? (This would be the [suggested standard](http://www.ietf.org/rfc/rfc2109.txt))
Henrik Opel  2010-10-13 21:03:20
Not yet, I am afraid of locking people out of the site. I will have to try on the dev site and get some people over on it and logging in.
Kevin  2010-10-13 22:21:19
A: 

This is what wound up working for me (Domain Access is installed):

$base_domain = explode('.', $_SERVER['SERVER_NAME']);
unset($base_domain[0]);
$base_domain = '.' . implode($base_domain, '.');

$cookie_domain = $base_domain;
Kevin  2010-10-18 20:25:49

related questions

Storing xml data in a cookie
Best way to secure an AJAX app
Is it possible to delete subdomain cookies?
What are the possible causes of a CGI::Session::CookieStore::TamperedWithCookie exception in rails
How do I access cookies within Flash?
Cookies and subdomains
Accessing Domain Cookies within an iFrame on Internet Explorer
Web Dev - Where to store state of a shopping-cart-like object?
Can JQuery read/write cookies to a browser?
Can you reliably set or delete a cookie during the server side processing of an Ajax (XHR) call?
How can I add cookies to Seaside responses without redirecting?
passing or reading .net cookie in php page
Best way for allowing subdomain session cookies using Tomcat
Why can't I delete this cookie?!
Apache Download: Make sure that page was viewed before download
Secure session cookies in ASP.NET over HTTPS
Always including the user in the django template context
How do you set up use HttpOnly cookies in PHP
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
How do HttpOnly cookies work with AJAX requests?
What is the best way to prevent session hijacking?
Associating source and search keywords with account creation
How would you implement FORM based authentication without a backing database?
How do I stop IIS7 dropping my cookies?