[TYPO3-dev] major cookie problem 4.3 IE8...

Ernesto Baschny [cron IT] ernst at cron-it.de
Wed Feb 10 21:41:38 CET 2010 

Hi,

Thomas "Thasmo" Deinhamer schrieb am 10.02.2010 18:44:
> If you visit a TYPO3 site, a cookie is set, wheter you're
> logged in or not. It's the fe_user cookie, and this cookie
> has a defined cookie domain, which is wrong.

How do you know it is "wrong"?

By default a TYPO3 installation won't set any domain for your cookie.

I think you are trusting that the IE8 developer toolbar and the "Cookie
Information" tab, which displays the session cookies as from domain
".com" or ".de". This is a bug of the developer toolbar and not really
relevant to the discussion of "lost cookies" we are having.

Check for yourself, visit www.facebook.com, www.twitter.com. Those are
clearly not TYPO3 installations, they also set session cookies. Check
out the IE8 developer toolbar, and the bogus information returned there.

To be sure what "cookies" your IE8 is sending out, you have to sniff the
network using Wireshark or something equivalent. I've done that and my
conclusions you can read in the note to the bug tracker [1]. And there
you find a potential patch that solves the issue.

Cheers,
Ernesto

[1] http://bugs.typo3.org/view.php?id=13470#c34910

>
> I have the same behaviour with IE8 on a TYPO3 4.3.1 site.
> 
> Thomas
> 
> Am 10.02.2010 15:34, schrieb Ernesto Baschny [cron IT]:
>> Stig Nørgaard Færch schrieb am 10.02.2010 15:20:
>>> Ernesto Baschny [cron IT] skrev:
>>>> Stig Nørgaard Færch schrieb am 10.02.2010 13:46:
>>>>> Stig Nørgaard Færch skrev:
>>>>>> Could somebody confirm this problem:
>>>>>> * Open IE8
>>>>>> * Go to a 4.3 site - www.busynoggin.com etc.
>>>>>> * View the cookies
>>>>>>
>>>>>> What I see is that fe_typo_user is set to .com and not
>>>>>> www.busynoggin.com
>>>>>>
>>>>>> I guess this isn't intended?
>>>>>> Bug report: http://bugs.typo3.org/view.php?id=13470
>>>>> It would be interesting to see if there is an example where the cookie
>>>>> is generated correctly with 4.3 / IE8 (IE7?).
>>>>
>>>> It does work correctly if you don't change the domain inbetween.  Or
>>>> doesn't it?
>>>
>>> If I clear all browser cache, then visit a site like www.busynoggin.com
>>> with IE8, then cookie is already bad.
>>>
>>> If you have Win/IE8 - it's pretty easy to replicate the bug with
>>> www.busynoggin.com etc.
>>
>> Where can I replicate the problem on "www.busynogging.com"? There is no
>> login or shopping basket or anything that might suggest that there is
>> session data. Could you point out how to exactly reproduce the problem
>> there?
>>
>> Cheers,
>> Ernesto

More information about the TYPO3-dev mailing list