For as long as i can remember (from version 5.47c, 6.04e, and now 6.1.0.3), this bug has always existed.
When changing subdomain names, users login/logout functions and cookies do not work properly.
For example. Setup UBB with a domain name of: test.com
Login to the UBB.
Change the domain name to www.test.com and re-configure UBB to use the new subdomain name.
Login to the UBB using old password combo.
Now, users can not logoff unless the old board still exists at: test.com
Resolution to the problem can not be resolved using the cookie clearing option. However, if the old address still links to the board, users can log off one time at the old boards address to fix the problem. Give users the address: http://test.com/cgi-bin/ultimatebb.cgi?ubb=logoff . After the users use the link, they will be logged off and future logins/logoffs and cookie verification will work properly at the new boards address.
If this makes absolutely no sense, feel free to contact me at: []corona@altereddestiny.net[/] for more information. i have a few test boards which you can use to play with this bug if needed.
[This message was edited by Charles Capps on September 05, 2002 at 03:03 PM.]
It is my understanding that you need to be consistent in your usage of 'www.domain.com' or 'domain.com' because it is the web browser that interprets domains written without 'www.' and written with 'www.' as two totally separate domains.
If you created a site named: virtualave.net, logged in, then went to a subdomain microsoft.virtualave.net, your cookie from virtualave.net would be sent to microsoft.virtualave.net. this is exactly the problem, and is not acceptable behavoir.
However, if you have one site named test.virtualave.net, and a second named microsoft.virtualave.net, cookies would work properly from the get-go.
Notice problem exists when a cookie is created from a straight domain name, then UBB is setup on a subdomain of the same domain name.
It might be some buggy functionality in IE5.5 sp2, but a cookie registered into the browser using a straight domain name will always be tried on all subdomains first (pretty sure about it being tried on ALL subdomains. However, i have only verified this on a subdomain named WWW). Even if a second cookie with a subdomain appended to the domain name is registered in the browser.
With the straight domain name cookie (no sub domains) registered in the browser, (even if ubb is no longer accessable by a straight domain name) UBB ceases to function properly -- will not update post indicators, can not login/logoff properly etc... Using the clear post indicator will not clear this cookie from the browser either.
This behavior is an indication that a cookie which has been implanted into the browser under a straight domain name is being tried on the subdomain where the UBB now resides.
[This message was edited by audioman on 20 Jan 02 at 09:24 PM.]
Resolution to the problem can not be resolved using the cookie clearing option. However, if the old address still links to the board, users can log off one time at the old boards address to fix the problem. Give users the address: http://test.com/cgi-bin/ultimatebb.cgi?ubb=logoff . After the users use the link, they will be logged off and future logins/logoffs and cookie verification will work properly at the new boards address.
This is not correct. while using the above mentioned link, the user can effectively log off/login properly in all subsequent events. however, cookie verification does not work properly at the new boards address. Indication of the cookie problem can be noticed by Posting indicators being 'stuck'. Post indicators will not update properly until the user physically deletes the cookie which has been registered through a flat domain name. IE: (on windows 2000) Open C:documents and settings%username%cookies and deleting the cookie named: %username%@test.com[1].txt. (replace %username% with appropriate users account name).
After physically deleting the domain cookie from the browser, all cookie functionality of the UBB begins to work properly in all subdomains.
The UBB cookies are locked into the exact domain *ONLY*.
This is the designed behavior and will not be fixed unless given a really, really good reason to break *EVERY* UBB cookie in existance.... <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />
-- Charles Capps Programmer, Infopop Corporation Please do not contact me privately for support - post on the board or open a support ticket instead!
Originally posted by Corona: If you created a site named: virtualave.net, logged in, then went to a subdomain microsoft.virtualave.net, your cookie from virtualave.net would be sent to microsoft.virtualave.net. this is exactly the problem, and is not acceptable behavoir.
No, it won't. <img src="https://www.ubbcentral.com/boards/images/graemlins/tongue.gif" alt="" />
Yes, it would. <img src="https://www.ubbcentral.com/boards/images/graemlins/tongue.gif" alt="" />
A cookie with domain "virtualave.net" would be sent to any domain which ends in "virtualave.net", including "microsoft.virtualave.net" and "www.virtualave.net".
However, a cookie with domain "microsoft.virtualave.net" would only be sent to "microsoft.virtualave.net", not "virtualave.net" or "www.virtualave.net".
[This message was edited by Dave_L on 24 Jan 02 at 11:02 AM.]
Originally posted by Charles Capps: Cookies will *NOT* traverse subdomains unless they are explicitely told to.
That should read:
Cookies created on a subdomain will not traverse to other subdomains.
Cookies created on a domain name will traverse through all subdomains. However, the cookie settings will not be fully inherited properly due to the differing of code in the cookie compared to the settings required by the subdomain. Even though the inheritance does not fully occur, a UBB site may show an authenticated user's name and a status as 'logged in' when they are not truely logged in. Attempts to log out or login fully when a domain cookie exists (which is tried on a subdomain) are not successfully completed. After an end user physically deletes a domain cookie from thier temporary internet files, login/logout will work properly. This behavior is (to my knowledge ONLY) apparent when a pre-existing UBB site is 'moved' from a domain name to a subdomain within the original domain name.
What i mean by 'moved' is: to change the location of the UBB site URL within the UBB control panel. For example, from http://test.com to http://www.test.com .
Cookies created on a domain name will traverse through all subdomains. However, the cookie settings will not be fully inherited properly due to the differing of code in the cookie compared to the settings required by the subdomain.
In the second sentence above, are you talking about the situation where the client contains multiple cookies, some associated with the domain and some associated with a subdomain? If not, could you explain more fully, or give an example?
Originally posted by Dave_L: Quote: "Cookies created on a domain name will traverse through all subdomains. However, the cookie settings will not be fully inherited properly due to the differing of code in the cookie compared to the settings required by the subdomain."
In the second sentence above, are you talking about the situation where the client contains multiple cookies, some associated with the domain and some associated with a subdomain? If not, could you explain more fully, or give an example?
yes, for instance, a ubb site is located at http://test.com, and a client creates a cookie to that domain (by logging-in). Assume the site is then moved to reside on http://www.test.com, and a client creates another cookie to this subdomain (by attempting to login).
The board will say that the user is logged in -- now try logging out. A message is given 'You have now logged off', however your login/logout status will still show the users name and a logged-in status.
The problem is that the UBB uses the user-specified domain when setting cookies. If a user uses a URL "www.example.com/...", then the domain associated with the cookie is "www.example.com". If the user uses the URL "example.com/...", the domain "example.com" gets associated with the cookie.
I solved this problem in another script I wrote by stripping off the "www" (if present) when setting cookies. The same cookies would then be fetched whether or not the user included the "www" in the URL. This solution might not be suitable for all servers, since sometimes the DNS isn't configured to handle both the www-present and www-absent cases. Then again, I'm not sure whether the DNS configuration matters here.
However, I think that the UBB should allow the cookie domain to be optionally specified as a configuration parameter, so that those of us who want to make the cookies behave more rationally would have that ability. If you're afraid that people would mess things up by misusing this parameter, you could add a warning note about it next to the place where the parameter is set.
