MarkDHamill wrote: ↑
Fri Jul 10, 2020 7:19 pm
Any idea why this would be? I'm guessing it's to make these session cookies?
I'm pretty sure you would have had to modify phpBB in order to make "session-only cookies" though, since they wouldn't work the way phpBB intends if "they only persisted until the web browser was closed." I believe you can make phpBB set the cookies without a domain (such that they are explicitly "only for the current domain"), but not "without a time" (to make them only for the current browser session).
What is the user interface you're even viewing the cookies with there? It might be common, but I don't recognize it. My first guess would be that whatever this UI is "simply doesn't have access to what the cookie expiration time is", and is showing a zero-based time epoch for that reason.
The place I see explicitly what cookie expiration, domain and other details are being set by phpBB is to delete my current cookies using the web browser's interface for doing this, and then open the F12 Network tab and reload page. (And/or login if I want to see the "_u" and "_k" cookies set to their final values, too.)
The "Set-Cookie" headers you see phpBB sending in the response shown in the F12 Network tab is definitively what ended up being sent from the server; even if those cookies were for the wrong domain, invalid time, or any other condition that would make the web browser immediately choose to not even use the cookies that were sent & wouldn't have displayed them as valid cookies for the site you're viewing.
Have you described what the HTTP 401 problem scenario is? I'm not sure exactly what you're seeing overall, before going after specifically the cookies as a potential cause.
"A phpBB ACP login which fails with a permissions error after successfully finishing the ACP login" does happen to be a symptom several "form invalid" customers also saw. Because if phpBB can't match you back to the same session again on your next visit, that can give you a "no permissions" on the ACP login redirect, same as it can give you "form invalid" even on the initial login.
But I think that ACP login case returned HTTP 403 under those circumstances, not HTTP 401. I do see where session.php will issue an HTTP 401 if NEED_SID is set (which is true for /adm/index.php) and either there isn't any SID in the URL, or that SID in the URL doesn't match the SID which would have been learned from the "_sid" cookie.
So that does seem like "its possible that cookie problems could be causing this HTTP 401", but it remains unclear whether the cookie time stamp is actually the culprit there.