[mythtv-users] checkboxes in Mythweb not sticking
Chris Petersen
lists at forevermore.net
Sat Nov 5 22:04:50 EST 2005
> This is true even if the local hostname is explicitly added to
> the Firefox allow/deny cookies list, which suggests that the cookie is
> being choked by Apache (or php) because the site name in the cookie
> doesn't match the server's name.
No, all that does is tell firefox to allow any cookies that the site
sets for you. Apache and php could care less about cookie permissions
-- that's handled in the browser.
> FWIW, I have noticed a message in the
> system startup that says "apache2: Could not determine the server's
> fully qualified domain name, using x.x.x.x for ServerName" (with the
> appropriate address inserted). I suspect the cookie problem would fix
> itself if I specified all of the legal server names in an apache config
> file somewhere.
No, again. Read the config file. There's a setting called
server_domain that is used for setting up cookie permissions.
Cookies work by a server sending out a cookie saying that it can only be
accessed by servers within a specific domain set (or any/public). The
browser honors this request and only sends cookie information to servers
that match what the cookies themselves say (you can also limit them to
specific pathnames, which was handy back in the day when you'd have many
users hosting their web pages at addresses like
http://example.com/~username/). Thus, if your server_domain is set
automatically via what the webserver thinks it is (x.x.x.x in your
example), then the cookies will go out being set to ONLY work for
x.x.x.x domains). For more info, see:
http://wp.netscape.com/newsref/std/cookie_spec.html
http://www.faqs.org/rfcs/rfc2965
If you MUST use different names for internal/external, it's time to
learn how to use the hosts file (eg. /etc/hosts) and add an alias for
your external name to point to the internal IP. This works because the
browser (and the server, for virtual server setups) only care about the
NAME you request, not the actual IP.
This is also why "cookie hijacking" is such a big problem with IE, since
you can install fake proxies to make IE think you're visiting a site
like amazon.com, but in actuality you're visiting some scammer's site.
The scammer then gets your amazon cookies sent to it, which they can
then use to get at some of your login info at amazon, particularly your
email address so they can send you spam (now that sites have gotten
smarter about requiring authentication for any real access).
And finally... In order for *any* session saving to work, mythweb will
need to use cookies. Nothing I can do about that without sticking an
ugly session ID variable at the end of every URL (which of course only
lasts until you close the browser window)
-Chris
More information about the mythtv-users
mailing list