Bug #65187
Updated by Markus Klein about 9 years ago
Consider a setup like this:
<pre>
webroot/firstInstance
webroot/firstInstance/secondInstance
</pre>
Logging into BE of firstInstance causes "be_typo_user" cookie to be set, with path /firstInstance.
Trying to log in into secondInstance sets another "be_typo_user" cookie with path /firstInstance/secondInstance.
When \TYPO3\CMS\Core\Authentication\AbstractUserAuthentication::getCookie tries to evaluate the cookie, it uses $_SERVER['HTTP_COOKIE'], the raw cookie string, which contains both cookies then for the secondInstance.
The loop in getCookie() selects the *last* cookie found, which seems to be the one for /firstInstance.
All tests currently showed that the browser seems to send the more specific (path-wise) cookie first. So a solution might be to change the logic to select the *first* cookie found.
http://stackoverflow.com/a/24214538 cites RFC sections which suggest the user-agents to send more specific cookies first, but on the other hand also suggest that the server shall not rely on this.
Test show that all major browsers in the current version actually follow this guideline. It is therefore at least "more correct" to select the first cookie instead of the last.