Cookie URLs aren't build correctly

[fabsh]

As soon as I turn on login via username/password I can't get to the main selfoss page anymore. Turning on DEBUG gives the message that I am logged in but then I it reports the session isn't valid. Looking at the generated cookie, I figured out that the cookie domain is subdomain.domain.com and the path is subdomain.domain.com -- this is obviously wrong. I patched this by hardcoding my domain to subdomain.domain.com and the path to / in Authentication.php like this:

// check for SSL proxy and special cookie options
        if(isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && isset($_SERVER['HTTP_X_FORWARDED_HOST'])
           && ($_SERVER['HTTP_X_FORWARDED_SERVER']===$_SERVER['HTTP_X_FORWARDED_HOST'])) {
            $cookie_path = '/';
            $cookie_domain = 'subdomain.domain.com';
        } else {
            // cookie path is script dir.
            $cookie_path = '/';
            $cookie_domain = 'subdomain.domain.com';
        }

Now authentication works but this is obviously very ugly. I'm running on a Webfaction vserver. I'm guessing the $_SERVER variables are messed up somehow but know to little to know how exactly that is broken and why.

[nopoz]

The above fix worked for me. Having the same problem. I was not getting redirected when logging in with the authentication page. Using nginx frontend to redirect to apache backend.

[lost-geographer]

I had the same invalid session issue as @fabsh and @doucheymcdoucherson. The problem seems to be that, when it runs behind a proxy, Selfoss builds an invalid cookie's URL: the domain is duplicated. You can see something like this in the DEBUG log:

set cookie on domain.com/domain.com/path/ expiring in 2592000 seconds

Or this (if Selfoss is installed in a subdomain):

set cookie on sub.domain.com/sub.domain.com/path/ expiring in 2592000 seconds

As the cookie's URL is build from the $cookie_domain and the $cookie_path in Authentication.php (lines 37-38), I isolated the two variables' code and its results in order to identify the problem:

Code:

$cookie_path = '/'.$_SERVER['SERVER_NAME'].preg_replace('/\/[^\/]+$/','',$_SERVER['PHP_SELF']).'/';
$cookie_domain = $_SERVER['HTTP_X_FORWARDED_SERVER'];

Results:

$cookie_path = /domain.com/path/
$cookie_domain = domain.com

Solution:

As you can see, part of the $cookie_path result is redundant with $cookie_domain. Actually, in the $cookie_path code there is the $_SERVER['SERVER_NAME'] variable that makes the same result as $cookie_domain, so I just removed it. And this is the new code (line 37):

$cookie_path = preg_replace('/\/[^\/]+$/','',$_SERVER['PHP_SELF']).'/';

I don't fully understand how the $cookie_path variable is used, but this little workaround seems to solve the problem.

[jtojnar]

Does #766 fix your problem?

[lost-geographer]

@jtojnar No. I suppose that #766 didn't work because it changes URL building rules only in case of a normal http connection. This problem occurs in case of an https or proxy connection.

However, i think your idea is good: it may allow Selfoss to get rid of the protocol verification in Autentication.php and View.php...