server/cookies setting on multiple board instalation and domain redirection

Get help with installation and running phpBB 3.3.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
testingmro
Registered User
Posts: 74
Joined: Mon Mar 15, 2021 1:56 pm

server/cookies setting on multiple board instalation and domain redirection

Post by testingmro »

Hello dear community!
I cant find any exactly similar topic ..., im not sure if my configuration is fine.
I inherited those settings from my predecessor, and part of them look little strange.

We are using https, phpbb 3.3.3, php 7.4, the server has SSL certificate.
All hosting names are taken as examples "out of the blue" to be more simple. "No servers were harmed ..." ;-)

We have hosting on provider lets say "hoster.com"
Hosting addrees will be : best.hoster.com
and domain name is different for ex.: board.com

On hosting:
best.hoster.com we have catalogs:
best.hoster.com/production
best.hoster.com/mirror1
best.hoster.com/mirror2

All catalogs (and main catalog) has .htaccess files with:

Code: Select all

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Than, on domain
board.com management panel (from domain hosting side) we have redirections:
1. board.com pointing to -> best.hoster.com/production as main domain redirection
2. test1.board.com pointing to -> best.hoster.com/mirror1
3. test2.board.com pointing to -> best.hoster.com/mirror2

I would kindly ask you to confirm exact cookies and server configuration, to be sure that those are ok.

A)
First thing is i can go to address https://board.com and it will stay that way, without "www" is that ok?
I have checked, that on https://www.phpbb.com if i delete "www" part it will momentarily redirect me to https://www.phpbb.com.
In my installation it let me stay either on https://www or only https://.
Is it relevant in such multi environment setup and from secure cookies perspective? I was reading that it could be relevant in such config as mine.

Server settings:
On all installation i have "forced server protocol set to: disabled -> as it is redirected by .htaccess file.
General question is: are we going by domain naming here, or hosting names? or perhaps we have to mix something? ;-)

B)
On production Server i have settings set (which works):

Code: Select all

Server
domain name to: [c]www.board.com[/c] (which is domain name)
port blank ( 0 to be exact, i cant set it to blank)
path to script: '/'

Cookies:
cookies domain : .board.com (domain name with dot at beginning)
cookies path: '/'
cookies secure : enabled
Versus
Could it, or should be done in different way? by hosting names? Something like:

Code: Select all

Server
domain name to: [c]www.best.hoster.com[/c] (which is server/hosting name) -> should it be with www. prefix?
port blank ( 0 )
path to script: '/production'

Cookies:
cookies domain : .best.hoster.com (server/hostin name with dot at beginning)
cookies path: '/production'
cookies secure : enabled
As I understand, the first option is ok, and it should be done as it is now, by domain name (with www.board.com not www.best.hoster.com way)

C)
The mirrors... those are configured by hosting name... my quess is, that should be changed...

Code: Select all

Server
domain name to: [c]best.hoster.com[/c] (which is domain name)
port blank ( 0 to be exact, i cant set it to blank)
path to script: '/mirror1'

Cookies:
cookies domain : best.hoster.com (domain name with dot at beginning)
cookies path: '/' <- nothing here , should it be -> '/mirror1'? 
cookies secure : enabled
D) is connected to A)
When im on https://board.com i can see some extra controls i guess because of mchat on address bar (its about allowing/disallowing extra sound etc):
11.PNG
11.PNG (1.39 KiB) Viewed 2418 times
When i change to https://www.board.com it disappears
112.PNG
112.PNG (1.88 KiB) Viewed 2418 times
What are best practices in such environment?
How to configure it in order to make sure that sessions from different boards will not mix? Or messed up other way?
I hope I have described my problem logically and clearly ;-)
I will be grateful for any help.
Best regards!
Testingmro
testingmro
Registered User
Posts: 74
Joined: Mon Mar 15, 2021 1:56 pm

Re: server/cookies setting on multiple board instalation and domain redirection

Post by testingmro »

Bump!
Soon we will have anniversary of my questions ;-)
I will be very grateful for describing the correct configuration!

Best regards!
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26456
Joined: Fri Aug 29, 2008 9:49 am

Re: server/cookies setting on multiple board instalation and domain redirection

Post by Mick »

What’s your exact issue?

Please supply links to the boards at least that way we can tell you if the cookie settings are correct.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: server/cookies setting on multiple board instalation and domain redirection

Post by thecoalman »

testingmro wrote: Fri Mar 26, 2021 12:16 am First thing is i can go to address https://board.com and it will stay that way, without "www" is that ok?
I have checked, that on https://www.phpbb.com if i delete "www" part it will momentarily redirect me to https://www.phpbb.com.
In my installation it let me stay either on https://www or only https://.
Technically www is sub domain of board.com. It's rare but it's entirely possible to serve different content from both. While it's not necessary, generally you redirect one or the other to maintain consistent URL's. This is especially important for bots because they will not necessarily consider them the same resource.

As far as SSL goes you need a cert for each domain, sub domain or multi domain cert. Standard certs issued usually cover both the www and non www versions, as long as you aren't getting any errors from the browser it's been configured properly.

General question is: are we going by domain naming here, or hosting names?
Generally the yourdomain.host.com is used for testing or preview services. For example you are changing hosts and before changing the DNS entries you can access yourdomain.host.com to see if it's working. How or why it's being used is really not a question for here.


How to configure it in order to make sure that sessions from different boards will not mix?
There is setting for cookie name under the cookie settings which should avoid any conflicts with logins from multiple boards on the same domain. Furthermore only the domain that has set a cookie can access it.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
testingmro
Registered User
Posts: 74
Joined: Mon Mar 15, 2021 1:56 pm

Re: server/cookies setting on multiple board instalation and domain redirection

Post by testingmro »

@thecoalman, thanks for answers.

Everything is clear, except for :
1.
As you write, you can enter the forum directly through the host address, not the domain that is redirected to it. At the same time, the certificates are for the domain. Therefore, should we use the host or domain address in this setting here?
cookie.PNG
2.
And whether in this case of multiple domains and multiple installations should be changed "Cookie path" setting ?

ps. And as I understand it, you just have to make sure that the cookie name is different for each installation ;-)
Thanks!
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: server/cookies setting on multiple board instalation and domain redirection

Post by thecoalman »

The cookie domain needs to be the root domain serving the content preceded by a dot. If the URL is yourdoamain.com or forum.yourdomain.com it needs to be .yourdomain.com . if you are accessing yourdomain.host.com it needs to be .host.com

Whatever the case if you are not experiencing login issues or not seeing any browser warnings I would leave well enough alone unless you can identify issues.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
testingmro
Registered User
Posts: 74
Joined: Mon Mar 15, 2021 1:56 pm

Re: server/cookies setting on multiple board instalation and domain redirection

Post by testingmro »

All clear!
Thanks!
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53379
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: server/cookies setting on multiple board instalation and domain redirection

Post by Brf »

thecoalman wrote: Sat Jan 29, 2022 2:21 pm If the URL is yourdoamain.com or forum.yourdomain.com it needs to be .yourdomain.com
Is this a change? We used to use the subdomain name in the cookie domain name.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26456
Joined: Fri Aug 29, 2008 9:49 am

Re: server/cookies setting on multiple board instalation and domain redirection

Post by Mick »

Brf wrote: Mon Jan 31, 2022 2:59 pmWe used to use the subdomain name in the cookie domain name
Yes indeedy Knowledge Base - Fixing incorrect cookie settings.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53379
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: server/cookies setting on multiple board instalation and domain redirection

Post by Brf »

This is example #2, which says to use forum.yourdomain.com
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: server/cookies setting on multiple board instalation and domain redirection

Post by thecoalman »

Brf wrote: Mon Jan 31, 2022 2:59 pm Is this a change? We used to use the subdomain name in the cookie domain name.
I wrote that based on what the phpBB instructions say in ACP.
In most cases the cookie domain is optional. Leave it blank if you are unsure.

In the case where you have a board integrated with other software or have multiple domains, then to determine the cookie domain you need to do the following. If you have something like example.com and forums.example.com, or perhaps forums.example.com and blog.example.com. Remove the subdomains until you find the common domain, example.com. Now add a dot in front of the common domain and you would enter .example.com (note the dot at the beginning).
From what I'm reading from the specs this is the most compatible way to do it. .example.com will allow the domain and any subdomain to access the cookie. It doesn't need the preceding dot for new browsers but will will be backwards compatible for older browsers. example.com should work just as well with the the exception of older browsers, many years old. sub.example.com should also work.

What I'm unsure about is the effects of having preceding dot on a subdomain as the dot was used to indicate it can be accessed by a subdomain and as I'm reading it if sub.example.com tries to set cookie using the domain name subsub.sub.example.com it's going to be rejected by the browser.

Once again haven't tested it but that's what I'm understanding from what I'm reading.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26456
Joined: Fri Aug 29, 2008 9:49 am

Re: server/cookies setting on multiple board instalation and domain redirection

Post by Mick »

forum.yourdomain.com (no leading dot) is correct as far as I’m aware unless, as has already been said, something has changed.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
Post Reply

Return to “[3.3.x] Support Forum”