Variants of the question:
- I can’t log in…
- My cookies don’t hold…
- b2evolution asks for my password again and again…
- b2evolution tells me "incorrect crumb received" again and again…
Short Answer
- Either your
$baseurlis not configured properly in _basic_config.php; - Or you are not using the same consistent URL / not the same consistent domain to connect to your site.
Long Answer
In the file /conf/_basic_config.php, you have set an URL with a statement like this:
$baseurl = 'http://www.mysite.com/';This will be used as the basis for setting cookies (see $cookie_domain and $cookie_path in _advanced.php; details below). Cookies will work for this URL and with this URL only (and everything that is below that URL).
If your site can be accessed through several URLs, you will have issues! For example:
- if you try to access your site through
http://www.mydomain.com/orhttp://192.168.1.2/and your$baseurlis set forhttp://subdomain.mydomain.com/, your cookies will not work and you will not be able to log in. - if you try to access your site through
http://www.mydomain.com/and your$baseurlis set forhttp://www.mydomain.com/blog/, your cookies will not work and you will not be able to log in.
So the rule of thumb is: use one single server name to access b2evolution, pick one specific folder (which can be /) and configure that exact URL name in your $baseurl!
Notes:
- If it’s still not working, you may need to clear all the cookies from your browser before it will work properly. (You may have an old cookie that takes precedence over the new one.)
- If you really need to use multiple domains, see: Multi-Domain Setup.
- If you’re using a reverse-proxy in front of b2evolution and you translate to a different domain, pay attention to translating the cookie domain.
- If you want to control your cookies more precisely, see below.
Why do we set such restrictive cookies?
Because in some situations (testing or otherwise) people are installing several instances of b2evolution (sometimes even different versions of b2evolution) on a single server. We have to restrict by folder and/or subdomain in order not to mix up the cookies.
By having narrow cookie scopes, it is possible to run several b2evolution instances concurrently without interference.
The tradeoff is that you cannot use different URLs to access your blog by default. This is a rare situation that is not recommended for best SEO practices anyways. (If you still want to do it no matter what, see below).
For local test setups
For local tests, we recommend you use this:
$baseurl = 'http://localhost/';For multi-domain setups
See: Multi-Domain Setup.
Technical details & Full control
IN b2evolution 6.7.5+, many settings have been move to the back-office. See: Cookie Settings Panel.
In the file _advanced.php and unless you manually change it, we perform the following:
- we will automatically extract
$basehostfrom the$baseurl. For example, your$basehostcould be extracted aswww.mysite.com. - we will automatically set your
$cookie_domainbased on your$basehost. For example, your$cookie_domaincould be set tomysite.com. Important: if your$basehostis something likesubdomain.domain.com, your$cookie_domainwill NOT be reduced todomain.com. It will stay assubdomain.domain.com. - we will automatically extract
$cookie_pathfrom your$baseurl. If you’re running in the root folder, the$cookie_pathwill be/.
Use your browser developer tools to inspect the cookies received and/or sent by your web browser. See the screenshot above.
In _advanced.php you will find all the following variables to further control your cookie name and scope. You may use this in special situations where you want a more laxist cookie policy than the default:
// ** Cookies **
/**
* This is the path that will be associated to cookies.
*
* That means cookies set by this b2evo install won't be seen outside of this path on the domain below.
*
* @global string Default: preg_replace( '#https?://[^/]+#', '', $baseurl )
*/
$cookie_path = preg_replace( '#https?://[^/]+#', '', $baseurl );
/**
* Cookie domain.
*
* That means cookies set by this b2evo install won't be seen outside of this domain.
*
* We'll take {@link $basehost} by default (the leading dot includes subdomains), but
* when there's no dot in it, at least Firefox will not set the cookie. The best
* example for having no dot in the host name is 'localhost', but it's the case for
* host names in an intranet also.
*
* Note: ".domain.com" cookies will be sent to sub.domain.com too.
* But, see http://www.faqs.org/rfcs/rfc2965:
* "If multiple cookies satisfy the criteria above, they are ordered in
* the Cookie header such that those with more specific Path attributes
* precede those with less specific. Ordering with respect to other
* attributes (e.g., Domain) is unspecified."
*
* @global string Default: ( strpos($basehost, '.') ) ? '.'. $basehost : '';
*/
if( strpos($basehost, '.') === false )
{ // localhost or windows machine name:
$cookie_domain = '';
}
elseif( preg_match( '~^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$~i', $basehost ) )
{ // The basehost is an IP address, use the basehost as it is:
$cookie_domain = $basehost;
}
else
{ // Keep the part of the basehost after the www. :
$cookie_domain = preg_replace( '/^(www\. )? (.+)$/xi', '.$2', $basehost );
// When hosting multiple domains (not just subdomains) on a single instance of b2evo,
// you may want to try this:
// $cookie_domain = '.'.$_SERVER['HTTP_HOST'];
// or this: -- Have a cookie domain of 2 levels only, base on current basehost.
// $cookie_domain = preg_replace( '/^( .* \. )? (.+? \. .+? )$/xi', '.$2', $basehost );
// fp> pb with domains like .co.uk !?
}
/**
* Name used for session cookies.
*/
$cookie_session = str_replace( '.', '_', 'session_'.$instance_name.'_'.$cookie_domain );
/**
* Names used for other cookies.
*
* The following remember the comment meta data for non registered users:
*/
$cookie_name = 'cookie'.$instance_name.'name';
$cookie_email = 'cookie'.$instance_name.'email';
$cookie_url = 'cookie'.$instance_name.'url';
/**
* Expiration for comment meta data cookies.
*
* Note: user sessions use different settings (config in admin)
*
* Value in seconds, set this to 0 if you wish to use non permanent cookies (erased when browser is closed).
* Default: time() + 31536000 (one year from now)
*
* @global int $cookie_expires
*/
$cookie_expires = time() + 31536000;
/**
* Expired-time used to erase comment meta data cookies.
*
* Note: user sessions use different settings (config in admin)
*
* Default: time() - 86400 (24 hours ago)
*
* @global int $cookie_expired
*/
$cookie_expired = time() - 86400;
/**
* Crumb expiration time
*
* Default: 2 hours
*
* @global int $crumb_expires
*/
$crumb_expires = 7200;