[TYPO3-core] RFC #15334: Feature: Allow separate cookie domain for FE and BE
François Suter
fsu-lists at cobweb.ch
Wed Aug 4 10:38:38 CEST 2010
Hi,
> In my opinion, you cannot restrict access using cookieDomain. It is up
> to the browser to respect the cookieDomain, so he might as well send
> back the cookie even if the domain doesn't match.
>
> I thought you had restricted it using apache configuration? That would
> be the "way to go". In my opinion, restricting access to BE through a
> certain domain could be a whole new feature.
OK, let me rephrase that. The true restriction was indeed implemented
using Apache configuration. But this feature is needed because if people
try to log into the BE with a domain that doesn't match
$TYPO3_CONF_VARS['SYS']['cookieDomain'], they will fail. And
$TYPO3_CONF_VARS['SYS']['cookieDomain'] needs to be strictly defined in
our case, because the FE also has a secured part where the domain must
be defined. So we really have a need to have two clearly defined
domains, different for both FE and BE.
Cheers
--
Francois Suter
Cobweb Development Sarl - http://www.cobweb.ch
More information about the TYPO3-team-core
mailing list