I had a problem with two of my websites. Suddenly, I couldn't log in anymore.
The problem was that XOOPS couldn't set the cookies properly. The cause was an incorrect value in the mainfile.php.
Example:
Web host's domain: https://myhoster.com
My website's domain: https://mywebsite.com
In the mainfile.php, there was

instead of

Since it worked for years, I didn't recognize the problem. I suspect the host made some changes to the settings, causing the issue to suddenly appear.
You may have/get the same problem. If yes, then check your mainfile.php.

Many thanks to Mamba for identifying the issue.

Actually, instead of specifying the domain like this:


you can use:


And to give you more background, the old, incorrect setting only worked because browsers used to have very relaxed security rules for cookies, which they have since tightened significantly.

Old Behavior (Pre-XOOPS 2.5.11 & Older Browsers)
In the past, when a cookie was set, browsers defaulted to a SameSite=None policy. This meant a cookie could be sent even if its domain (myhoster.com) didn't match the website's domain (mywebsite.com). The browser saw it as a "third-party" cookie but allowed it to work for logins. This was a fragile setup that relied on insecure defaults.

New Behavior (XOOPS 2.5.11+ & Modern Browsers)
To prevent security vulnerabilities like Cross-Site Request Forgery (CSRF), all major browsers (Chrome, Firefox, Edge) now default to SameSite=Lax for cookies.
• SameSite=Lax means the browser will only send a cookie if the domain in the cookie matches the domain of the website you are currently visiting.
• When your user on mywebsite.com tried to log in, XOOPS told the browser to set a cookie for "myhoster.com".
• On the next page load, the browser looked at the cookie for myhoster.com and said, "Nope, you're not on "myhoster.com", you're on mywebsite.com. I'm not sending this cookie."

So again, if you have set the XOOPS_COOKIE_DOMAIN to something that is not your domain, just replace it your domain name, or simply with: