Cookies not being set on localhost

[eluser]praj[/eluser]
I thought I would post this in case anyone else runs into the same trouble.

Running CodeIgniter 2.1.0 on MAMP (Mac OSX 10.7.2, various browsers tested including Chrome 16.0.x, Safari 5.1.2, Firefox 9.0) I couldn't get the Session class to create cookies (either as cookies or in the DB). Lots of investigation and tweaking later, I pinpointed it to the following:

Code:

$config['cookie_secure'] = FALSE; // Cannot be TRUE in localhost or cookies are not set in $_COOKIE array

As per the comments above, setting the cookie_secure property seems to be the issue (in my case anyway). Trolling through the forums and google searches, there are various reasons why your cookies may not work correctly - this is one reason when developing locally.

Setting:

Code:

$config['global_xss_filtering'] = TRUE;

Was not the issue (there are suggestions this can cause problems).

Here are my cookie settings for reference:

Code:

$config['sess_cookie_name']  = 'ci_session';
$config['sess_expiration']  = 7200;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie'] = TRUE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name']  = 'sessions';
$config['sess_match_ip']  =  FALSE;
$config['sess_match_useragent'] = TRUE;

Note that 'sess_encrypt_cookie' is true above.

[eluser]WanWizard[/eluser]
'localhost' is an invalid hostname, as per RFC 2965.

More and more browsers will reject it as a valid hostname for cookies. In short, browsers should reject cookies when any of the following rules are true:

* The value for the Path attribute is not a prefix of the request-URI.
* The value for the Domain attribute contains no embedded dots, and the value is not .local.
* The effective host name that derives from the request-host does not domain-match the Domain attribute.
* The request-host is a HDN (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.
* The Port attribute has a “port-list”, and the request-port was not in the list.

And as you can see, 'localhost' falls under point 2.

[eluser]praj[/eluser]
As as I should have I guessed, I only noticed the following comment in config.php AFTER making this post:

// 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.

So, since you are very unlikely to have https enabled while developing locally - that would explain the problem

[eluser]praj[/eluser]
Interestingly, I don't have that problem with the cookie domain not being set to .local - leaving it as "" works fine.

I've seen that mentioned quite a few times, but leaving the setting as:

Code:

$config['cookie_domain'] = "";

Works fine using localhost and the browsers mentioned in the original post.

[eluser]WanWizard[/eluser]
Nobody's saying that you have to set the domain to ".local".

It says: "every hostname that does not contain embedded dots, and is not .local, is invalid". And "localhost" does not contain a dot.

So expect browsers are going to reject it, if not today, then tomorrow, as part of attempts to make cookies more secure.

Therefore I suggest to no longer use localhost, but simply add something like "mymac.local" to your /etc/hosts, and use that.

[eluser]praj[/eluser]
That does make sense. Thanks for the tip, much appreciated.