What standard does phpBB follow for setting cookies?

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.2/Rhea followed by 3.3.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.1. If you need support for phpBB 3.1 please visit the 3.1.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
User avatar
P_I
Registered User
Posts: 69
Joined: Fri Oct 31, 2014 4:56 am

What standard does phpBB follow for setting cookies?

Post by P_I » Fri Mar 24, 2017 10:41 pm

A common topic of discussion on the phpBB.com support forums is making sure the board has proper cookie settings, specifically the requirement for a leading dot for the 'Cookie domain' seems problematic to many board admins.

In doing some research, I'm trying to determine which standard is used for phpBB's cookies. A couple of phpBB resources I reviewed are: which offer some insight into the issue, but not a complete understanding. If you read all three, there is conflicting information about the requirements for setting cookie domain.

The leading dot requirement seems to come from RFC 2109. So is that the standard that phpBB uses?

According to IETF, RFC 2109 has been obsoleted by: 2965, which in turn has been obsoleted by: 6265. Further, PHP: setcookie - Manual indicates
RFC 6265 provides the normative reference on how each setcookie() parameter is interpreted.
If we look further into PHP's setcookie() call, they discuss the domain parameter as:
PHP: setcookie - Manual wrote: domain
The (sub)domain that the cookie is available to. Setting this to a subdomain (such as 'www.example.com') will make the cookie available to that subdomain and all other sub-domains of it (i.e. w2.www.example.com). To make the cookie available to the whole domain (including all subdomains of it), simply set the value to the domain name ('example.com', in this case).

Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.[/url]
If I understand this all correctly, there is no need for phpBB to enforce the requirement of a leading dot in the cookie domain setting.

Taking this a step further, is there any requirement for the specification in ACP->Cookie settings of a 'Cookie domain', why cannot it by dynamically determined?

Am I missing something or not understanding the current state of the standards, and PHP's implementation correctly?

User avatar
3Di
Registered User
Posts: 694
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: What standard does phpBB follow for setting cookies?

Post by 3Di » Sat Mar 25, 2017 4:25 am

You might want to have a look to
FORUM_ROOT/phpbb/sessions.php function set_cookie().
Want to compensate me for my interest? Don't ask me, just do it
I'm available for custom phpBB jobs, you can PM me the details.
New: my Live Board, Extensions and Tools for phpBB - Men at works.

User avatar
P_I
Registered User
Posts: 69
Joined: Fri Oct 31, 2014 4:56 am

Re: What standard does phpBB follow for setting cookies?

Post by P_I » Sat Mar 25, 2017 12:45 pm

Thanks. I was trying to first understand the design specification before I started looking into the code.

As I stated in the first paragraph, this seems to be a common source of problems for board admins, and I can find a number of places where the phpBB documentation and/or support discussions don't problem a consistent answer, so I'm starting at first principles to look at the requirement/specification before implementation.

User avatar
Louis7777
Registered User
Posts: 378
Joined: Fri Apr 04, 2014 12:32 am

Re: What standard does phpBB follow for setting cookies?

Post by Louis7777 » Sat Mar 25, 2017 2:42 pm

P_I wrote:
Sat Mar 25, 2017 12:45 pm
this seems to be a common source of problems for board admins
It is. I run some SQL queries to update cookie information whenever I transfer a phpBB site, because otherwise I can't enter the admin panel.

User avatar
3Di
Registered User
Posts: 694
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: What standard does phpBB follow for setting cookies?

Post by 3Di » Sun Mar 26, 2017 1:43 am

During the installation, this bit of code it is the only one used to calculate and (a bit of lines after) store the result into the config. As you can see, there isn't so much to wonder about.

Code: Select all

		// Calculate cookie domain
		$cookie_domain = $server_name;

		if (strpos($cookie_domain, 'www.') === 0)
		{
			$cookie_domain = substr($cookie_domain, 3);
		}
Search for the file add_config_settings.php in the FORUM_ROOT/phpbb/install folder
Want to compensate me for my interest? Don't ask me, just do it
I'm available for custom phpBB jobs, you can PM me the details.
New: my Live Board, Extensions and Tools for phpBB - Men at works.

User avatar
P_I
Registered User
Posts: 69
Joined: Fri Oct 31, 2014 4:56 am

Re: What standard does phpBB follow for setting cookies?

Post by P_I » Sun Mar 26, 2017 1:53 am

Searching for incorrect cookie in the Support Forums turns up 230 instances (at this point in time), and almost always the solution is to add a dot to the front of the domain name and/or reference to Knowledge Base - Fixing incorrect cookie settings. That's what got me started on this effort.

Clearly there is an issue for board admins and I believe a question of what standard phpBB follows. I'm making an effort to unravel it and propose a new solution going forward.

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 123
Joined: Thu Sep 09, 2010 11:36 am
Location: Munich, Germany

Re: What standard does phpBB follow for setting cookies?

Post by Marc » Sun Mar 26, 2017 9:48 am

You already noticed that it's recommended to have a leading dot in front of the domain name by our support docs. While you're citing that the PHP manual on setcookie specifies that setting example.com is enough to set a cookie for the full domain, some older browsers still have issues with it. Therefore, the domain path for the best compatibility across browsers is still adding the leading dot.
As a result of that I see no reason to change this any time soon.

User avatar
P_I
Registered User
Posts: 69
Joined: Fri Oct 31, 2014 4:56 am

Re: What standard does phpBB follow for setting cookies?

Post by P_I » Sun Mar 26, 2017 4:15 pm

As I said, I'm investigating this simply because it repeatedly and regularly appears in the phpBB support forums as a problem for board admins.

At a minimum, I've created [PHPBB3-15151] ACP Cookie settings should contain explanatory text for all fields to assist board admins.

For information/comparison sake, neither WordPress nor MediaWiki require explicit configuration of the cookie domain, they default to using the current domain. They do offer configuration options if needed, WordPress (Set Cookie Domain « WordPress Codex) or MediaWiki (Manual:$wgCookieDomain - MediaWiki).
Marc wrote:
Sun Mar 26, 2017 9:48 am
some older browsers still have issues with it.
Can you provide a link to indicate which ones and are they versions that phpBB 3.2.x supports? I know that support for older versions of IE have been dropped over the past few feature releases.

Can we agree that phpBB should be conforming to RFC 6265, which dates to April 2011?

CHItA
Development Team
Development Team
Posts: 128
Joined: Thu Mar 12, 2015 1:43 pm
Location: Budapest, Hungary

Re: What standard does phpBB follow for setting cookies?

Post by CHItA » Sun Mar 26, 2017 10:30 pm

P_I wrote:
Sun Mar 26, 2017 4:15 pm
Can we agree that phpBB should be conforming to RFC 6265, which dates to April 2011?
And it does. It also does with 2109. If it ain't broke, don't fix it.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: What standard does phpBB follow for setting cookies?

Post by DavidIQ » Mon Mar 27, 2017 7:29 pm

I don't think you'll find any actual code that cares if the cookie domain setting has a preceding dot or not. What you've referenced are merely support docs to help troubleshoot cookie problems some users experience and report. Furthermore cookie problems aren't really something only we have to deal with regularly. ;) Of course that doesn't mean that some better explanation should be provided for each of the cookie settings, but there really isn't anything we're doing in code to cause reported cookie issues.
Image

Post Reply