Bug #65187
closedHaving nested installations makes BE login fail with no error message
100%
Description
Consider a setup like this:
webroot/firstInstance webroot/firstInstance/secondInstance
Logging into BE of firstInstance causes "be_typo_user" cookie to be set, with path /firstInstance.
Trying to log in into secondInstance sets another "be_typo_user" cookie with path /firstInstance/secondInstance.
When \TYPO3\CMS\Core\Authentication\AbstractUserAuthentication::getCookie tries to evaluate the cookie, it uses $_SERVER['HTTP_COOKIE'], the raw cookie string, which contains both cookies then for the secondInstance.
The loop in getCookie() selects the last cookie found, which seems to be the one for /firstInstance.
All tests currently showed that the browser seems to send the more specific (path-wise) cookie first. So a solution might be to change the logic to select the first cookie found.
http://stackoverflow.com/a/24214538 cites RFC sections which suggest the user-agents to send more specific cookies first, but on the other hand also suggest that the server shall not rely on this.
Test show that all major browsers in the current version actually follow this guideline. It is therefore at least "more correct" to select the first cookie instead of the last.