[TYPO3-core] RFC #13470: Session/Login not working in IE8 across subdomains
Ernesto Baschny [cron IT]
ernst at cron-it.de
Thu Feb 25 16:48:07 CET 2010
Sigfried Arnold schrieb am 25.02.2010 16:35:
> Am 12.02.2010 10:22, schrieb Ernesto Baschny [cron IT]:
>> 2) Visit once "domain.com" (without the subdomain)
>> 3) Change to "www.domain.com"
>
> example.com and www.example.com are two different authorities - if
> someone has a cookie for one, he should not have one for the other
> domain (technicaly) - see RFC 2965 for details.
>
> if the cookie is set for ".example.com" it should be valid for
> www.example.com too, bit if it's set explicit for "example.com" it
> should not be valid on "www.example.com".
>
> it's quite common that www. subdomain and second level domain got the
> same content - but its also possible, that both are completly different.
>
> so - i vote for a clear -1 for this patch (in technical manner) - TYPO3
> should comply with RFCs - especialy if they are HTTP-Relevant)
I guess you are mixing some things up. We are dealing with the cookies
the browser is sending to us. So if there is a bug, it is the browsers,
and we cannot fix it in TYPO3.
If you set up your (TYPO3) cookieDomain to be "example.com", you expect
that cookie to be valid in the top domain and all subdomains, because
this is what the RFC says. This is also what will happen, but you won't
get the benefit of using it in IE8 because of the mentioned bug. With
the fix now in, it works.
If you don't set any cookieDomain, it is up to the browsers to correctly
interpret the RFC. Internet Explorer has the habit to even in this case
add a "." in front of it. This behaviour cannot be changed by TYPO3 and
is not affected by our fix.
> btw: you should really use RFC 2606 compilant domains for example
> purposes ;)
True!
Cheers,
Ernesto
More information about the TYPO3-team-core
mailing list