• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XenForo's handing of cookie domains

cmeinck

Well-known member
#1
One of my XenForo forums deals with Windows Phone 7 devices. I have it set up to support Tapatalk. They don't have an official client, but there is an app called Board Express that supports Tapatalk. Now, here's where things get tricky. The Windows Phone Tapatalk forum app Board Express does not support XenForo. I've been in touch with the developer and he's indicated the following as a problem. I'm not a developer, but was hoping I might be able to offer him a solution based on feedback from developers here on the XF forums.

A bigger problem is the wrongly set standard cookie domain set by XenForo. Windows Phone 7 has a very secure implementation of cookie handling, which is ignoring all cookies with not correctly set cookie domains. I’ll have to check how this can be solved. Somewhere in XenForo you should be able to change the cookie domain.
Any suggestions that I might be able to pass along?
 

Jake Bunce

XenForo moderator
Staff member
#2
Add this code to your library/config.php file to set your own cookie domain:

Code:
$config['cookie'] = array(
	'prefix' => 'xf_',
	'path' => '/',
	'domain' => ''
);
Examples include:

Code:
// COOKIES WILL ONLY WORK ON www.yoursite.com
$config['cookie'] = array(
	'prefix' => 'xf_',
	'path' => '/',
	'domain' => 'www.yoursite.com'
);
Code:
// COOKIES WILL WORK ON ANY SUBDOMAIN OF yoursite.com, WITH OR WITHOUT www
$config['cookie'] = array(
	'prefix' => 'xf_',
	'path' => '/',
	'domain' => '.yoursite.com'
);
 
#4
Okay after testing i tried jakes code and while it allowed me to use the cookie on a subdomain, but it seems to break the login for other people on xenforo?
 

Jake Bunce

XenForo moderator
Staff member
#5
Okay after testing i tried jakes code and while it allowed me to use the cookie on a subdomain, but it seems to break the login for other people on xenforo?
Break how?

Note that when changing the cookie scope like this it is sometimes necessary to manually delete the old cookies in the client browser. Otherwise the two cookies can conflict and cause problems like not being able to logout of the forum if you were previously logged in.

Alternatively you can change the cookie prefix in addition to the domain which should avoid conflicts with old cookies.
 
#6
Ah you know that's probably what did it, i think they may have ended up getting two cookies. Will try it again.

Edit > Yeah for future reference people need to either re-name the prefix or tell users to delete old cookies.
 
#7
Infact now other users a reporting this:

"Cookies are required to log in to this site. You will not be able to login until they are accepted."

It seems this code doesn't sit too well with xenforo. It should really be an admin option to properly change cookie settings, pretty stupid it's not included.
 

Jake Bunce

XenForo moderator
Staff member
#8
What generates that error? Are you able to reproduce it?

Also, can you post your cookie settings from your config file?

It should really be an admin option to properly change cookie settings, pretty stupid it's not included.
That is intentional. Having those settings in the Admin CP allows the admin to lock themselves out if they enter invalid cookie settings.
 

Mike

XenForo developer
Staff member
#9
Cookie settings aren't really meant to be changed, because of what Jake pointed out. Changing this via the admin wouldn't make a bit of difference, unfortunately.

When 2 cookies have the same name with different paths, there's no priority in what is actually seen by the server. Additionally, when elements change, it's not possible to properly clear the cookies from the server side.

Changing the prefix whenever you make changes is the best way to be safe. If there are issues with a different prefix, then there is likely a different issue at play because the XF doesn't even look at the old cookies.

The only way the error you reported can be triggered is if there are no cookies set for your domain at all. You may need to check the settings that you used, as the browsers are likely not accepting the cookies (or there's another issue with them).
 

kingston

Well-known member
#10
Add this code to your library/config.php file to set your own cookie domain:

Code:
$config['cookie'] = array(
'prefix' => 'xf_',
'path' => '/',
'domain' => ''
);
Examples include:

Code:
// COOKIES WILL ONLY WORK ON www.yoursite.com
$config['cookie'] = array(
'prefix' => 'xf_',
'path' => '/',
'domain' => 'www.yoursite.com'
);
Code:
// COOKIES WILL WORK ON ANY SUBDOMAIN OF yoursite.com, WITH OR WITHOUT www
$config['cookie'] = array(
'prefix' => 'xf_',
'path' => '/',
'domain' => '.yoursite.com'
);
I did the cookie will work on any subdomain one (so I could have a wordpress site and xenforo site on the same server but separate sub domains but using the bridge could be logged into both) but now I cannot log out of XenForo. Any idea what I am doing wrong?
 

Jake Bunce

XenForo moderator
Staff member
#11
I did the cookie will work on any subdomain one (so I could have a wordpress site and xenforo site on the same server but separate sub domains but using the bridge could be logged into both) but now I cannot log out of XenForo. Any idea what I am doing wrong?
Yes, the cookie will be available to both subdomains.

Try changing the prefix to resolve the logout problem. I posted about that in an earlier post:

http://xenforo.com/community/threads/xenforos-handing-of-cookie-domains.15260/#post-217075

Break how?

Note that when changing the cookie scope like this it is sometimes necessary to manually delete the old cookies in the client browser. Otherwise the two cookies can conflict and cause problems like not being able to logout of the forum if you were previously logged in.

Alternatively you can change the cookie prefix in addition to the domain which should avoid conflicts with old cookies.
 

Uniphix

Active member
#13
Is there a way to restrict that a certain subdomain is not to be used in the same cookies? For example I have dev.yoursite.com that is basically the development platform that I work on, then I have yoursite.com that is the offical production site.

Is there a way to make dev.yoursite.com use a certain cookie prefix because on yoursite.com i use .yoursite.com??
 

James

Well-known member
#14
Is there a way to restrict that a certain subdomain is not to be used in the same cookies? For example I have dev.yoursite.com that is basically the development platform that I work on, then I have yoursite.com that is the offical production site.

Is there a way to make dev.yoursite.com use a certain cookie prefix because on yoursite.com i use .yoursite.com??
Code:
// COOKIES WILL ONLY WORK ON dev.yoursite.com
$config['cookie'] = array(
'prefix' => 'xfdev_',
'path' => '/',
'domain' => 'dev.yoursite.com'
);
Try that, it should prefix your development cookie with xfdev_ and it should only work on dev.yoursite.com.
 

DRE

Well-known member
#16
Add this code to your library/config.php file to set your own cookie domain:

Examples include:

Code:
// COOKIES WILL ONLY WORK ON www.yoursite.com
$config['cookie'] = array(
'prefix' => 'xf_',
'path' => '/',
'domain' => 'www.yoursite.com'
);
Thanks
 
#19
Add this code to your library/config.php file to set your own cookie domain:

Code:
$config['cookie'] = array(
'prefix' => 'xf_',
'path' => '/',
'domain' => ''
);
Examples include:

Code:
// COOKIES WILL ONLY WORK ON www.yoursite.com
$config['cookie'] = array(
'prefix' => 'xf_',
'path' => '/',
'domain' => 'www.yoursite.com'
);
Code:
// COOKIES WILL WORK ON ANY SUBDOMAIN OF yoursite.com, WITH OR WITHOUT www
$config['cookie'] = array(
'prefix' => 'xf_',
'path' => '/',
'domain' => '.yoursite.com'
);
Thank you for the nice instruction, I owe you so much