[mythtv-users] checkboxes in Mythweb not sticking

Chris Petersen lists at forevermore.net
Sat Nov 5 22:04:50 EST 2005


> This is true even if the local hostname is explicitly added to 
> the Firefox allow/deny cookies list, which suggests that the cookie is 
> being choked by Apache (or php) because the site name in the cookie 
> doesn't match the server's name.

No, all that does is tell firefox to allow any cookies that the site 
sets for you.  Apache and php could care less about cookie permissions 
-- that's handled in the browser.

> FWIW, I have noticed a message in the 
> system startup that says "apache2: Could not determine the server's 
> fully qualified domain name, using x.x.x.x for ServerName" (with the 
> appropriate address inserted).  I suspect the cookie problem would fix 
> itself if I specified all of the legal server names in an apache config 
> file somewhere.

No, again.  Read the config file.  There's a setting called 
server_domain that is used for setting up cookie permissions.

Cookies work by a server sending out a cookie saying that it can only be 
accessed by servers within a specific domain set (or any/public).  The 
browser honors this request and only sends cookie information to servers 
that match what the cookies themselves say (you can also limit them to 
specific pathnames, which was handy back in the day when you'd have many 
users hosting their web pages at addresses like 
http://example.com/~username/).  Thus, if your server_domain is set 
automatically via what the webserver thinks it is (x.x.x.x in your 
example), then the cookies will go out being set to ONLY work for 
x.x.x.x domains).  For more info, see:

     http://wp.netscape.com/newsref/std/cookie_spec.html
     http://www.faqs.org/rfcs/rfc2965

If you MUST use different names for internal/external, it's time to 
learn how to use the hosts file (eg. /etc/hosts) and add an alias for 
your external name to point to the internal IP.  This works because the 
browser (and the server, for virtual server setups) only care about the 
NAME you request, not the actual IP.

This is also why "cookie hijacking" is such a big problem with IE, since 
you can install fake proxies to make IE think you're visiting a site 
like amazon.com, but in actuality you're visiting some scammer's site. 
The scammer then gets your amazon cookies sent to it, which they can 
then use to get at some of your login info at amazon, particularly your 
email address so they can send you spam (now that sites have gotten 
smarter about requiring authentication for any real access).

And finally...  In order for *any* session saving to work, mythweb will 
need to use cookies.  Nothing I can do about that without sticking an 
ugly session ID variable at the end of every URL (which of course only 
lasts until you close the browser window)

-Chris


More information about the mythtv-users mailing list