In doing some research, I'm trying to determine which standard is used for phpBB's cookies. A couple of phpBB resources I reviewed are:
- Knowledge Base - Fixing incorrect cookie settings;
- Support/Cookie Domain - phpBB Development Wiki and
- Notice in ACP when cookie settings are wrong - Development Discussion Board
The leading dot requirement seems to come from RFC 2109. So is that the standard that phpBB uses?
According to IETF, RFC 2109 has been obsoleted by: 2965, which in turn has been obsoleted by: 6265. Further, PHP: setcookie - Manual indicates
If we look further into PHP's setcookie() call, they discuss the domain parameter as:RFC 6265 provides the normative reference on how each setcookie() parameter is interpreted.
If I understand this all correctly, there is no need for phpBB to enforce the requirement of a leading dot in the cookie domain setting.PHP: setcookie - Manual wrote: domain
The (sub)domain that the cookie is available to. Setting this to a subdomain (such as 'www.example.com') will make the cookie available to that subdomain and all other sub-domains of it (i.e. w2.www.example.com). To make the cookie available to the whole domain (including all subdomains of it), simply set the value to the domain name ('example.com', in this case).
Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.[/url]
Taking this a step further, is there any requirement for the specification in ACP->Cookie settings of a 'Cookie domain', why cannot it by dynamically determined?
Am I missing something or not understanding the current state of the standards, and PHP's implementation correctly?