Lets say you pass off your domain to someone with "www.domain.com" and some people will attempt to register or create an account via the
http://www.domain.com.
Unless you registered your XOOPS url via the code as
http://www.domain.com (which is usually avoided due to sub-domains and other functionalities disabled) whenever someone logs in with the www in the address bar, the form will refer them to the domain you set in your settings, WITH OUT logging them in.
There is a very simple fix. In the mainfile.php, near the bottom you will find this code:
foreach ( array('GLOBALS', '_SESSION', 'HTTP_SESSION_VARS', '_GET', 'HTTP_GET_VARS', '_POST', 'HTTP_POST_VARS', '_COOKIE', 'HTTP_COOKIE_VARS', '_REQUEST', '_SERVER', 'HTTP_SERVER_VARS', '_ENV', 'HTTP_ENV_VARS', '_FILES', 'HTTP_POST_FILES', 'xoopsDB', 'xoopsUser', 'xoopsUserId', 'xoopsUserGroups', 'xoopsUserIsAdmin', 'xoopsConfig', 'xoopsOption', 'xoopsModule', 'xoopsModuleConfig', 'xoopsRequestUri') as $bad_global ) {
if ( isset( $_REQUEST[$bad_global] ) ) {
header( 'Location: '.XOOPS_URL.'/' );
exit();
}
}
Replace with the code below. (the only thing added was a period after the "Location: "), sub-domains, and wild card domain prefixes (*.domain.com) will read the cookies that were created on the main page...
foreach ( array('GLOBALS', '_SESSION', 'HTTP_SESSION_VARS', '_GET', 'HTTP_GET_VARS', '_POST', 'HTTP_POST_VARS', '_COOKIE', 'HTTP_COOKIE_VARS', '_REQUEST', '_SERVER', 'HTTP_SERVER_VARS', '_ENV', 'HTTP_ENV_VARS', '_FILES', 'HTTP_POST_FILES', 'xoopsDB', 'xoopsUser', 'xoopsUserId', 'xoopsUserGroups', 'xoopsUserIsAdmin', 'xoopsConfig', 'xoopsOption', 'xoopsModule', 'xoopsModuleConfig', 'xoopsRequestUri') as $bad_global ) {
if ( isset( $_REQUEST[$bad_global] ) ) {
header( 'Location: .'.XOOPS_URL.'/' );
exit();
}
}
This also helps for servers that don't use sessions as they should.
