[TYPO3-dev] Is config key 'cookieDomain' worth a patch?
Xavier Perseguers
typo3 at perseguers.ch
Sat Jan 3 11:49:30 CET 2009
Hi,
I think that the way cookie domain are currently handled with
$TYPO3_CONF_VARS['SYS']['cookieDomain']
is not smart enough.
==== BACKGROUND ====
When you log in (BE or FE) and have configured
$TYPO3_CONF_VARS['SYS']['cookieDomain'] = 'www.domain.tld';
then your cookie is attached to domain www.domain.tld and your browser
checks that it is being sent only to this domain. Meaning that if you
have multiple domain hosted in a single install (multiple tree host).
Let's say www.domain.tld and subsite.domain.tld, leaving this
configuration as is will prevent you from use cookies for
subsite.domain.tld and thus use a login. This is not bad with the BE as
you may say that you always administer your website from
www.domain.tld/typo3 but it prevents using it with a private area on FE.
Actually there is a way for this, either using
$TYPO3_CONF_VARS['SYS']['cookieDomain'] = '.domain.tld';
or
$TYPO3_CONF_VARS['SYS']['cookieDomain'] = '';
First method allows the cookie to be sent for all subdomains. This way a
cookie is valid for all subdomain once created from a particular domain.
Meaning that once logged on www.domain.tld, you may be able to move to a
private area on subdomain.domain.tld (if users match of course).
With second method, leaving cookieDomain empty. The cookie domain is
created for the current domain in use. Hence you cannot share cookie
among subdomains.
==== WHY IS IT NOT SMART ENOUGH ====
I have a "special" configuration need where the backend should be on
http://www.myproject.tld/subdomain1
having multiple instance of this project under
http://www.myproject.tld/subdomain2
http://www.myproject.tld/subdomain3
while having the frontend websites (there are multiple websites per
tree) on *.domain1.com for TYPO3 installed on subdomain1, on
*.domain2.com for subdomain2, etc.
Meaning that I'm forced to leave cookieDomain empty (because
www.myproject.tld and *.domain1.com have nothing in common). But this
prevents me from keeping my session among *all* *.domain1.com websites.
==== WHAT I SUGGEST ====
1) Either create a second cookieDomain parameter to be used for FE (or BE)
2) Better would be to add this configuration property to the domain
record itself. This way it would fall back to current behaviour if not
configured but would allow me to handle even more complex scenario.
What is your point of view? TYPO3 4.3 is not yet out and thus it would
still be time to do this.
--
Xavier Perseguers
http://xavier.perseguers.ch/en
One contribution a day keeps the fork away
More information about the TYPO3-dev
mailing list