On Fri, May 13, 2022 at 1:14 AM Toshi Esumi <email2(a)toshiesumi.com> wrote:
On 5/12/22 04:31, Jeffrey Walton wrote:
I ran into this issue (or a very similar issue) several years ago. Or
I had the same symptoms. Verify $wgServer matches the server name in
httpd.conf .
...
Thanks Jeff. It was spot on.
First I didn't know they needed to match and I changed $wgServer side
only. Also I recently installed a certificate to add SSL support then
forgot to update to $wgServer = https://...
Glad to hear it. It took us a couple of days to work out the problem
when we experienced it.
I _think_ what happened was, the server was serving pages that
violated the browser's Same Origin Policy (SOP). So you would login
over https using host
example.com, and then you would get a http page
from
www.example.com and that would blow away the cookie.
In the browser's security model, an origin is a {protocol, host, port}
triplet. All requests have to use the same origin. Switching between
http and https, and switching between hosts
example.com and
www.example.com would muck things up.
That's why $wgServer, $wgCanonicalServer, ServerName and ServerAlias
had to line-up properly.
Jeff