In order to fully support multi-domain installation we need to rework and improve cookie domain detection.
Currently $_SERVER['HTTP_HOST'] is used as cookie domain, however there are cases when you can't fully rely on this especially in cases with single installation running on multiple Domains.
Example: demo.in-portal.net, demo.in-portal.com, www.in-portal.org, in-portal.org
Proposing:
a. Add new configuration variable: CustomCookieDomains where administrator can list all domain names (one per line) on which In-Portal matches domain from $_SERVER['HTTP_HOST']. User must enter exact cookie domain (with all leading dots if any).
b. New variable will be placed in Admin->Configuration->Website->Advanced: Cookie Settings section and will be disabled/empty by default so it works as they are now.
When
- nothing is entered into CustomCookieDomains variable
- when none of entered cookie domains will match domain from $_SERVER['HTTP_HOST']
and $_SERVER['HTTP_HOST'] consists of 3 parts (e.g. "www.domain.com" or "ftp.domain.com"), then we automatically detect cookie domain as ".domain.com" (last 2 parts).
In case, when $_SERVER['HTTP_HOST'] consists of more, then 3 parts, then use $_SERVER['HTTP_HOST'] as cookie domain.
When cookie domains from configuration variable are matched, then leading dot should be stripped (only when matching).
domain.com
sub.domain.com
www.domain.com
will match to "domain.com"