Login issues? Check your domain for underscores

Mon, 02/13/2017 - 11:41 -- admin

I recently migrated a Wordpress installation to a new site, and when demoing the new install I found I was unable to login. I checked the usual places, database had the correct url, there were no funky redirects and I disabled ALL the plugins. This led to 30 minutes of hair pulling confusion and frustration. Login worked from Firefox on my desktop, but failed in Safari and from every other machine I tried it on. This was strange because the installation was fine on the other URL, there had been no changes to the files. After some sniffing of the traffic to the browser, I found out that the cookie was sent but not being set in Safari. A quick search led to this embarrassing revelation. This is from the Uniform Resource Identifier (URI): Generic Syntax http://tools.ietf.org/html/rfc3986

2.3. Unreserved Characters
Characters that are allowed in a URI but do not have a reserved purpose
are called unreserved. These include uppercase and lowercase letters, decimal
digits, hyphen, period, underscore, and tilde.
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~

That is to say, underscores aren't specifically allowed in domains. So, if a cookie comes from a domain with one the browser is rejecting it. Luckily this was a staging subdomain, so I was able to relocate it easily. Something to look out for...