Follow-up Comment #5, bug #6694 (project savane): Hmm, I though we were following the cookieV2 RFC but actually PHP still send V1 cookies.
This means: http://www.faqs.org/rfcs/rfc2109 * A Set-Cookie with Domain=ajax.com will be rejected because the value for Domain does not begin with a dot. If we are to set cookie on a domain and subdomains, we need to explicitely put a dot in front of the domain. This also does not work on subsubdomains (V1 and V2): * A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com would be rejected, because H is y.x and contains a dot. which means web.cvs.savannah.gnu.org could not use this authentication scheme. This conforms my opinion that this is a less-than-optimal solution :/ Btw, I notice that the subdomain authenticaion trick also does not work if you accept 'www.' for your domain. You'd have to strip it from the cookies' domain. _______________________________________________________ Reply to this item at: <http://gna.org/bugs/?func=detailitem&item_id=6694> _______________________________________________ Message posté via/par Gna! http://gna.org/ _______________________________________________ Savane-dev mailing list [email protected] https://mail.gna.org/listinfo/savane-dev
