EllisLab text mark
Advanced Search
     
Cookies not being set on localhost
 
praj
Posted: 21 January 2012 06:14 PM   [ Ignore ]
Joined: 2011-05-30
6 posts

I thought I would post this in case anyone else runs into the same trouble.

Running CodeIgniter 2.1.0 on MAMP (Mac OSX 10.7.2, various browsers tested including Chrome 16.0.x, Safari 5.1.2, Firefox 9.0) I couldn’t get the Session class to create cookies (either as cookies or in the DB). Lots of investigation and tweaking later, I pinpointed it to the following:

$config['cookie_secure'FALSE// Cannot be TRUE in localhost or cookies are not set in $_COOKIE array 

As per the comments above, setting the cookie_secure property seems to be the issue (in my case anyway). Trolling through the forums and google searches, there are various reasons why your cookies may not work correctly - this is one reason when developing locally.

Setting:

$config['global_xss_filtering'TRUE

Was not the issue (there are suggestions this can cause problems).

Here are my cookie settings for reference:

$config['sess_cookie_name']  'ci_session';
$config['sess_expiration']  7200;
$config['sess_expire_on_close'FALSE;
$config['sess_encrypt_cookie'TRUE;
$config['sess_use_database'TRUE;
$config['sess_table_name']  'sessions';
$config['sess_match_ip']  =  FALSE;
$config['sess_match_useragent'TRUE

Note that ‘sess_encrypt_cookie’ is true above.
 
WanWizard
Posted: 21 January 2012 06:20 PM   [ Ignore ]   [ # 1 ]   [ Rating: 0 ]
Avatar
Joined: 2008-11-04
4404 posts

‘localhost’ is an invalid hostname, as per RFC 2965.

More and more browsers will reject it as a valid hostname for cookies. In short, browsers should reject cookies when any of the following rules are true:

* The value for the Path attribute is not a prefix of the request-URI.
* The value for the Domain attribute contains no embedded dots, and the value is not .local.
* The effective host name that derives from the request-host does not domain-match the Domain attribute.
* The request-host is a HDN (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.
* The Port attribute has a “port-list”, and the request-port was not in the list.

And as you can see, ‘localhost’ falls under point 2.

 Signature 

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM
 
praj
Posted: 21 January 2012 06:21 PM   [ Ignore ]   [ # 2 ]   [ Rating: 0 ]
Joined: 2011-05-30
6 posts

As as I should have I guessed, I only noticed the following comment in config.php AFTER making this post:

// ‘cookie_secure’ =  Cookies will only be set if a secure HTTPS connection exists.

So, since you are very unlikely to have https enabled while developing locally - that would explain the problem smile
 
praj
Posted: 21 January 2012 06:26 PM   [ Ignore ]   [ # 3 ]   [ Rating: 0 ]
Joined: 2011-05-30
6 posts

Interestingly, I don’t have that problem with the cookie domain not being set to .local - leaving it as “” works fine.

I’ve seen that mentioned quite a few times, but leaving the setting as:

$config['cookie_domain'""

Works fine using localhost and the browsers mentioned in the original post.
 
WanWizard
Posted: 21 January 2012 06:33 PM   [ Ignore ]   [ # 4 ]   [ Rating: 0 ]
Avatar
Joined: 2008-11-04
4404 posts

Nobody’s saying that you have to set the domain to “.local”.

It says: “every hostname that does not contain embedded dots, and is not .local, is invalid”. And “localhost” does not contain a dot.

So expect browsers are going to reject it, if not today, then tomorrow, as part of attempts to make cookies more secure.

Therefore I suggest to no longer use localhost, but simply add something like “mymac.local” to your /etc/hosts, and use that.

 Signature 

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM
 
praj
Posted: 21 January 2012 11:59 PM   [ Ignore ]   [ # 5 ]   [ Rating: 0 ]
Joined: 2011-05-30
6 posts

That does make sense. Thanks for the tip, much appreciated.