Last modified: 2007-04-25 18:38:23 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T5826, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 3826 - Cookie problem when database name contains dot or plus
Cookie problem when database name contains dot or plus
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
PC Linux
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch, patch-need-review
Depends on:
  Show dependency treegraph
Reported: 2005-10-29 13:52 UTC by Marc Quinton
Modified: 2007-04-25 18:38 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Remove bad characters from the cookie name (418 bytes, patch)
2007-04-16 13:05 UTC, Antoine "hashar" Musso (WMF)
The remaining one line of my patch. (378 bytes, patch)
2007-04-24 22:20 UTC, Anders Kaseorg
The remaining one line of my patch, revised (377 bytes, patch)
2007-04-24 23:16 UTC, Anders Kaseorg

Description Marc Quinton 2005-10-29 13:52:56 UTC
In the site here, database name and username are fixed by my ISP ( So I
can't change them.
Wikimedia 1.5.1 could not work as is because I could not keep my login. Password
where OK
but was not setup correctly because cookies are prefixed with database name.

But cookies do not support names with dots so cookies are received in php with
that form :


Dots are converted to underline.

So I need make a patch to correct that. I've created a $wgCookiePrefix variable
that can have by default a value of $wgDBname. And then I need to change
all acces to cookies mainly in includes/SpecialUserlongin.php and

I can submit a patch.
Comment 1 Anders Kaseorg 2005-12-01 09:40:46 UTC
This is also a problem when the database name contains a + sign (my database
host only lets me create databases named username+suffix), and possibly other

Can you post your patch?
Comment 2 Anders Kaseorg 2005-12-01 10:01:01 UTC
Or I could post my own:
Comment 3 Anders Kaseorg 2005-12-06 23:31:15 UTC
I experimentally determined an exaustive list of bad characters:
  =,; +."'\[
The first four are disallowed, the next two are silently converted into _, the
next three are silently escaped with a backslash, and the last is used for
cookie arrays. I've updated my patch to replace all these characters with _:
Comment 4 Anders Kaseorg 2006-03-04 23:09:29 UTC
Huh. It seems that all of my patch got applied in 1.5.7 except the one important
line, which now needs to be:
  $wgCookiePrefix = strtr($wgCookiePrefix, "=,; +.\"\'\\[", "__________");
Comment 5 Marc Quinton 2006-09-23 09:49:12 UTC
this probleme is still present with MediaWiki 1.1.7. You can edit
includes/Setup.php, line 119, just add :

  $wgCookiePrefix = str_replace('.', '_', $wgCookiePrefix);
Comment 6 Antoine "hashar" Musso (WMF) 2007-04-16 13:05:27 UTC
Created attachment 3453 [details]
Remove bad characters from the cookie name

It might fix Bug 3535 too.
Comment 7 Brion Vibber 2007-04-24 20:34:19 UTC
Uh, that str_replace in the patch doesn't sound like it'll do the job.
Comment 8 Anders Kaseorg 2007-04-24 22:17:39 UTC
What exactly is wrong with my patch (see comment #3 and comment #4)?  I’ve had
this carefully designed, well tested, working patch sitting around for over a
year, deployed on several production wikis—and for some unfathomable reason,
everyone is trying to (incorrectly!) rewrite the one critical line of it that
wasn't already integrated in 1.5.7…

$wgCookiePrefix = strtr($wgCookiePrefix, "=,; +.\"\'\\[", "__________");
Comment 9 Anders Kaseorg 2007-04-24 22:20:36 UTC
Created attachment 3520 [details]
The remaining one line of my patch.
Comment 10 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-04-24 22:28:27 UTC
Note that it should probably be

"=,; +.\"'\\["

i.e., minus the extra \ before the '.  That will be printed literally,
otherwise, making it 11 characters -> 10 characters.  It could even be

"=,; +.\"'\["

With that modification the patch should work as intended (rather than almost as
intended, with [ not getting converted: "the extra characters in the longer of
the two are ignored").  Sorry for the delay, we can take a while on these things
if we get to them at all . . .
Comment 11 Anders Kaseorg 2007-04-24 23:16:18 UTC
Created attachment 3521 [details]
The remaining one line of my patch, revised

Thanks, that’s more helpful.	Here’s a revised patch.
Comment 12 Brion Vibber 2007-04-25 18:38:23 UTC
Applied in r21580

Note You need to log in before you can comment on or make changes to this bug.