[wp-trac] [WordPress Trac] #27373: "Cookies are blocked" error is misleading

WordPress Trac noreply at wordpress.org
Wed Mar 26 13:33:05 UTC 2014 

#27373: "Cookies are blocked" error is misleading
------------------------------------+------------------
 Reporter:  SergeyBiryukov          |       Owner:
     Type:  defect (bug)            |      Status:  new
 Priority:  normal                  |   Milestone:  3.9
Component:  Login and Registration  |     Version:  3.7
 Severity:  normal                  |  Resolution:
 Keywords:  has-patch               |     Focuses:
------------------------------------+------------------
Description changed by SergeyBiryukov:

Old description:

> A lot of users reported
> [https://www.google.com/search?q=%22Cookies+are+blocked+or+not+supported%22
> ""Cookies are blocked or not supported by your browser""] error on login
> page after the upgrade to 3.7. Most of the time it has nothing to do with
> their browser.
>
> Before 3.7, the presence of the test cookie was only checked in case of
> an invalid username or password.
>
> Since [25045], we always check the test cookie before calling
> `wp_signon()`. This made the issue much more prominent. Here are some
> scenarios to reproduce it:
>
> 1. [http://wordpress.org/support/topic/cookies-are-blocked-or-not-
> supported-since-update-to-371/page/4?replies=105#post-4907345 "Some
> proxy/caching servers"] (e.g. Varnish) are configured to not allow
> setting cookies on GET requests. On a second attempt (after a POST
> request has been made), user is able to log in.
> 2. One of the active plugins (or the theme's `functions.php` file)
> produces unexpected output, causing a "headers already sent" warning and
> consequently preventing WordPress from setting the test cookie.
> 3. [https://en.wikipedia.org/wiki/Byte_order_mark UTF-8 byte order mark]
> in `wp-config.php` (or theme's `functions.php` file) has the same effect
> as above.
> 4. [http://wordpress.org/support/topic/error-cookies-are-blocked-or-not-
> supported-by-your-browser-1?replies=10#post-5172053 Invalid COOKIE_DOMAIN
> value] in `wp-config.php`. According to the original
> [http://curl.haxx.se/rfc/cookie_spec.html cookie specification], the
> domain value, if specified, must have at least two dots, so
> [http://stackoverflow.com/questions/1134290/cookies-on-localhost-with-
> explicit-domain 'localhost' is invalid].
> 5. [http://wordpress.org/support/topic/cookies-are-blocked-or-not-
> supported-by-your-browser-1?replies=18#post-5003387 CloudFlare caching
> rules] prevent the test cookie from being set.

New description:

 A lot of users reported
 [https://www.google.com/search?q=%22Cookies+are+blocked+or+not+supported%22
 ""Cookies are blocked or not supported by your browser""] error on login
 page after the upgrade to 3.7. Most of the time it has nothing to do with
 their browser.

 Before 3.7, the presence of the test cookie was only checked in case of an
 invalid username or password.

 Since [25045], we always check the test cookie before calling
 `wp_signon()`. This made the issue much more prominent. Some articles even
 suggest hacking core as a workaround, which induced me to investigate it.

 Here are some scenarios to reproduce it:

 1. [http://wordpress.org/support/topic/cookies-are-blocked-or-not-
 supported-since-update-to-371/page/4?replies=105#post-4907345 "Some
 proxy/caching servers"] (e.g. Varnish) are configured to not allow setting
 cookies on GET requests. On a second attempt (after a POST request has
 been made), user is able to log in.
 2. One of the active plugins (or the theme's `functions.php` file)
 produces unexpected output, causing a "headers already sent" warning and
 consequently preventing WordPress from setting the test cookie.
 3. [https://en.wikipedia.org/wiki/Byte_order_mark UTF-8 byte order mark]
 in `wp-config.php` (or theme's `functions.php` file) has the same effect
 as above.
 4. [http://wordpress.org/support/topic/error-cookies-are-blocked-or-not-
 supported-by-your-browser-1?replies=10#post-5172053 Invalid COOKIE_DOMAIN
 value] in `wp-config.php`. According to the original
 [http://curl.haxx.se/rfc/cookie_spec.html cookie specification], the
 domain value, if specified, must have at least two dots, so
 [http://stackoverflow.com/questions/1134290/cookies-on-localhost-with-
 explicit-domain 'localhost' is invalid].
 5. [http://wordpress.org/support/topic/cookies-are-blocked-or-not-
 supported-by-your-browser-1?replies=18#post-5003387 CloudFlare caching
 rules] prevent the test cookie from being set.

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/27373#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list