Mantis - Quercus
Viewing Issue Advanced Details
1696 minor always 04-19-07 18:22 04-24-07 11:11
closed 3.1.1  
none 3.1.1  
0001696: session_start() generates cookies with null domain
When the php.ini session.cookie_domain value is unset, session_start() (and other functions that use SessionModule.generateSessionCookie()) will generate a cookie with the domain attribute set to an empty string. Firefox on Mac OS X seems to just ignore these empty domain attributes and falls back to using the default domain--the server's hostname. Safari (version 2.0.4 at least) seems to ignore cookies like this. MediaWiki's login screen seems to use this session cookie to determine if a user has cookies enabled, and thus can log in, so Safari users will get an error message about having cookies disabled (when they do have them enabled) when attempting to log in.
I'll attach a small patch that fixes the problem. This patch makes the domain attribute not get set at all if php.ini's session.cookie_domain is not set.
 cookie_domain.patch [^] (677 bytes) 04-19-07 18:23

04-24-07 11:11   
fixed for other servlet containers

When Quercus is running on Resin, the cookie domain is not sent if the domain is the empty string. But other servlet containers may not do the empty string check, thereby sending the problematic empty domain.