1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XenForo's handing of cookie domains

Discussion in 'XenForo Questions and Support' started by cmeinck, Apr 25, 2011.

  1. cmeinck

    cmeinck Well-Known Member

    One of my XenForo forums deals with Windows Phone 7 devices. I have it set up to support Tapatalk. They don't have an official client, but there is an app called Board Express that supports Tapatalk. Now, here's where things get tricky. The Windows Phone Tapatalk forum app Board Express does not support XenForo. I've been in touch with the developer and he's indicated the following as a problem. I'm not a developer, but was hoping I might be able to offer him a solution based on feedback from developers here on the XF forums.

    Any suggestions that I might be able to pass along?
     
  2. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Add this code to your library/config.php file to set your own cookie domain:

    Code:
    $config['cookie'] = array(
    	'prefix' => 'xf_',
    	'path' => '/',
    	'domain' => ''
    );
    
    Examples include:

    Code:
    // COOKIES WILL ONLY WORK ON www.yoursite.com
    $config['cookie'] = array(
    	'prefix' => 'xf_',
    	'path' => '/',
    	'domain' => 'www.yoursite.com'
    );
    
    Code:
    // COOKIES WILL WORK ON ANY SUBDOMAIN OF yoursite.com, WITH OR WITHOUT www
    $config['cookie'] = array(
    	'prefix' => 'xf_',
    	'path' => '/',
    	'domain' => '.yoursite.com'
    );
    
     
  3. cmeinck

    cmeinck Well-Known Member

    Thanks Jake. I've passed this on to the dev and hoping he'll be amicable to doing some tests on my site.
     
  4. Member 3639

    Member 3639 Active Member

    Okay after testing i tried jakes code and while it allowed me to use the cookie on a subdomain, but it seems to break the login for other people on xenforo?
     
  5. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Break how?

    Note that when changing the cookie scope like this it is sometimes necessary to manually delete the old cookies in the client browser. Otherwise the two cookies can conflict and cause problems like not being able to logout of the forum if you were previously logged in.

    Alternatively you can change the cookie prefix in addition to the domain which should avoid conflicts with old cookies.
     
  6. Member 3639

    Member 3639 Active Member

    Ah you know that's probably what did it, i think they may have ended up getting two cookies. Will try it again.

    Edit > Yeah for future reference people need to either re-name the prefix or tell users to delete old cookies.
     
  7. Member 3639

    Member 3639 Active Member

    Infact now other users a reporting this:

    "Cookies are required to log in to this site. You will not be able to login until they are accepted."

    It seems this code doesn't sit too well with xenforo. It should really be an admin option to properly change cookie settings, pretty stupid it's not included.
     
  8. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    What generates that error? Are you able to reproduce it?

    Also, can you post your cookie settings from your config file?

    That is intentional. Having those settings in the Admin CP allows the admin to lock themselves out if they enter invalid cookie settings.
     
  9. Mike

    Mike XenForo Developer Staff Member

    Cookie settings aren't really meant to be changed, because of what Jake pointed out. Changing this via the admin wouldn't make a bit of difference, unfortunately.

    When 2 cookies have the same name with different paths, there's no priority in what is actually seen by the server. Additionally, when elements change, it's not possible to properly clear the cookies from the server side.

    Changing the prefix whenever you make changes is the best way to be safe. If there are issues with a different prefix, then there is likely a different issue at play because the XF doesn't even look at the old cookies.

    The only way the error you reported can be triggered is if there are no cookies set for your domain at all. You may need to check the settings that you used, as the browsers are likely not accepting the cookies (or there's another issue with them).
     
  10. kingston

    kingston Well-Known Member

    I did the cookie will work on any subdomain one (so I could have a wordpress site and xenforo site on the same server but separate sub domains but using the bridge could be logged into both) but now I cannot log out of XenForo. Any idea what I am doing wrong?
     
  11. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Yes, the cookie will be available to both subdomains.

    Try changing the prefix to resolve the logout problem. I posted about that in an earlier post:

    http://xenforo.com/community/threads/xenforos-handing-of-cookie-domains.15260/#post-217075

     
  12. kingston

    kingston Well-Known Member

  13. Uniphix

    Uniphix Active Member

    Is there a way to restrict that a certain subdomain is not to be used in the same cookies? For example I have dev.yoursite.com that is basically the development platform that I work on, then I have yoursite.com that is the offical production site.

    Is there a way to make dev.yoursite.com use a certain cookie prefix because on yoursite.com i use .yoursite.com??
     
  14. James

    James Well-Known Member

    Code:
    // COOKIES WILL ONLY WORK ON dev.yoursite.com
    $config['cookie'] = array(
    'prefix' => 'xfdev_',
    'path' => '/',
    'domain' => 'dev.yoursite.com'
    );
    
    Try that, it should prefix your development cookie with xfdev_ and it should only work on dev.yoursite.com.
     
    CRDeveloper and sonnb like this.
  15. Uniphix

    Uniphix Active Member

    hmm I'll give it a try thanks James
     
  16. DRE

    DRE Well-Known Member

     
  17. Marcus

    Marcus Well-Known Member

    Domain.com can not set a .domain.com cookie.
    Www.domain.com can

    I read some browsers accept domain.com cookies without leading dot. Any updates on that?
     
  18. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    I have never heard that. The leading dot is to cover all subdomains. Otherwise you name domain.com or sub.domain.com to be specific.
     
  19. sweetpotato

    sweetpotato Active Member

    Thank you for the nice instruction, I owe you so much
     
  20. ThEDoZEr

    ThEDoZEr Member

    Hello. I've noticed that Xenforo doesn't create xf_user cookie for users witch have admin privilegies. Why?
     

Share This Page