On Fri, May 13, 2022 at 1:14 AM Toshi Esumi email2@toshiesumi.com wrote:
On 5/12/22 04:31, Jeffrey Walton wrote:
I ran into this issue (or a very similar issue) several years ago. Or I had the same symptoms. Verify $wgServer matches the server name in httpd.conf . ...
Thanks Jeff. It was spot on.
First I didn't know they needed to match and I changed $wgServer side only. Also I recently installed a certificate to add SSL support then forgot to update to $wgServer = https://...
Glad to hear it. It took us a couple of days to work out the problem when we experienced it.
I _think_ what happened was, the server was serving pages that violated the browser's Same Origin Policy (SOP). So you would login over https using host example.com, and then you would get a http page from www.example.com and that would blow away the cookie.
In the browser's security model, an origin is a {protocol, host, port} triplet. All requests have to use the same origin. Switching between http and https, and switching between hosts example.com and www.example.com would muck things up.
That's why $wgServer, $wgCanonicalServer, ServerName and ServerAlias had to line-up properly.
Jeff