Page 1 of 1

Make ACP cookie configuration easier

Posted: Wed Aug 07, 2019 6:38 am
by v12mike
The current ACP cookie configuration page, although functionally adequate is confusing for many (especially new) admins and over the years has been the cause of a lot of issues with users (and admins) being locked out after installs, upgrades and reconfigurations.

I would like to change the default behaviour and configuration page layout to make life simpler, while not taking away the option for advanced admins to configure cookies the same way they currently do.

From the admins point of view, the default cookie configuration fields would all be blank, with the board determining a safe set of values, which could be over-ridden by an admin if desired, although the need for this should be rare, except where cookies are being shared with another application.

Going through the parameters:
  • Cookie domain: No functional change, but the help text to be updated to recommend more strongly that it be left blank. I would also investigate further whether the leading dot in the cookie domain is still relevant today (I suspect not).
  • Cookie Name: This should normally be left blank. In the case that it is left blank, the board will calculate a suitable value, by concatenating the board path with a cookie_version number which is incremented
    • each time the cookie settings are saved,
    • each time the sessions table is purged
    • each time the board protocol (http:/https:) is changed
    This is a similar concept to assets version number.
  • Cookie path: This should be left blank, but internally defaults to the board path.
  • Cookie secure: This should have a 3rd (default) option of Automatic, where the cookie secure value tracks the http: or https: configuration of the board.
I would also like the ACP cookie configuration page to display the current cookie configuration of the board.

Re: Make ACP cookie configuration easier

Posted: Wed Aug 07, 2019 8:03 am
by KevC
Surely if all of the fields are blank then more people really are going to be locked out. You would need a fundamental understanding of what should go in those fields and if you get it wrong by adding or not adding http:// in the right place then you'll never get back in.

At the moment it suggests values which are highly likely to be correct on a new installation.

Re: Make ACP cookie configuration easier

Posted: Wed Aug 07, 2019 10:17 am
by v12mike
What I am suggesting is that if all the fields in the ACP are left blank, then the board will select a safe set of parameters to populate the actual cookies (which of course are not blank).

The problem with the current implementation is that it requires admins to fill in values that they often don't understand and in the majority of installations a safe set of cookie parameters can be determined by simple algorithm.

Re: Make ACP cookie configuration easier

Posted: Wed Aug 07, 2019 10:28 am
by david63
v12mike wrote:
Wed Aug 07, 2019 10:17 am
then the board will select a safe set of parameters to populate the actual cookies
Isn't that what is effectively happening now?
v12mike wrote:
Wed Aug 07, 2019 10:17 am
The problem with the current implementation is that it requires admins to fill in values that they often don't understand
There is normally no requirement for an Admin to fill anything in - but they do need the facility to change the settings.

Re: Make ACP cookie configuration easier

Posted: Wed Aug 07, 2019 10:42 am
by KevC
What he said ^

It generally fills in all of the correct information at the point of installation. I've never edited anything on that page in all of the installations I've ever done.

Re: Make ACP cookie configuration easier

Posted: Tue Aug 13, 2019 7:00 am
by Tastenplayer
KevC wrote:
Wed Aug 07, 2019 10:42 am
What he said ^
I've never edited anything on that page in all of the installations I've ever done.
I had to adjust the settings every time.
This is related to the server configuration / address of the forum (subdomain with reference to folders and redirection to https). Then you must not forget to add the dot in front of the cookie domain. Which beginner admin knows that there must be a dot in front of it. If this point is missing, you get problems.

Re: Make ACP cookie configuration easier

Posted: Tue Aug 13, 2019 8:32 am
by KevC
More often than not it's correct already on the page when I've done installations.

Re: Make ACP cookie configuration easier

Posted: Wed Aug 14, 2019 7:27 am
by AmigoJack
Tastenplayer wrote:
Tue Aug 13, 2019 7:00 am
Which beginner admin knows that there must be a dot in front of it.
If that was intended as a question then the answer is: those being prepared. Being a beginner doesn't imply you weren't able to gather knowledge in advance: RFC 2109 defines cookies and the differences between a leading dot and none for the domain part - either one understands that, or one simply accepts that is is needed that way.