"Cookies are blocked or not supported" since update to 3.7.1

I doubt it’s PHP. (and I’ve tested on PHP 5.2.x, 5.3.x, 5.4.x, and 5.5.x – all good) Since JavaScript runs client side, no surprise that cookies can be set that way. It all points to server configuration/environment, with proxy server definitely a possibility.

In all the testing I’ve done, the only way I’ve gotten the cookie to not set properly is by modifying my Varnish config.

@scriptrunner (Doug Sparling): Can you clarify the results of your testing with Varnish? For example:

Is the default Varnish config OK?
If not, what changes need to be made?

My site has just updated itself automagically to 3.7.1 again, no change.

@esmi

Default Varnish config is OK. (everything is basically commented out) I am going to experiment by uncommenting more of what’s in the default config file.

I added the WordPress specific config from these templates to my Varnish config, and everything worked ok:

https://github.com/mattiasgeniar/varnish-3.0-configuration-templates/blob/master/conf.d/fetch/wordpress.vcl

https://github.com/mattiasgeniar/varnish-3.0-configuration-templates/blob/master/conf.d/receive/wordpress.vcl

If I change

if (!(req.url ~ "wp-(login|admin)")) {
    unset beresp.http.set-cookie;
}

to

if (!(req.url ~ "wp-admin")) {
    unset beresp.http.set-cookie;
}

Then I get the cookies not supported error message on WordPress 3.7.1 because now Varnish is unsetting the test cookie from wp-login.php. But…by doing this I can’t login to WordPress 3.6.1 either, I just don’t get the message, (in both cases the testcookie is not set) though I stay on wp-login.php, just no error message.

I’m not seeing an obvious way to configure Varnish in a way that it would break WordPress 3.7.1 but not effect previous versions of WordPress.

@esmi – in the case of @willem.deboer it looks like he’s coming through a proxy server as well, but no sure it’s Varnish:

Via: 1.1 W0211, 1.1 W020

I gave up, removed varnish and all works perfectly fine.

@jgjh151 – would you mind either posting your Varnish config file(s) or sending them to me (dougsparling at gmail dot com). I’m still baffled how Varnish would cause 3.7.1 to fail, yet pre-3.7.1 would work.

Then I get the cookies not supported error message on WordPress 3.7.1 because now Varnish is unsetting the test cookie from wp-login.php. But…by doing this I can’t login to WordPress 3.6.1 either, I just don’t get the message, (in both cases the testcookie is not set) though I stay on wp-login.php, just no error message.

I’m not seeing an obvious way to configure Varnish in a way that it would break WordPress 3.7.1 but not affect previous versions of WordPress.

That would suggest it is not serverspecific but WordPress version specific. You are now in effect trying to configure Varnish to accomodate the changes in WordPress 3.7.1

@esmi – in the case of @willem.deboer it looks like he’s coming through a proxy server as well, but no sure it’s Varnish:

Via: 1.1 W0211, 1.1 W020

I would like to know too, so I can tell my webhost.

@jgjh151 – would you mind either posting your Varnish config file(s) or sending them to me (dougsparling at gmail dot com). I’m still baffled how Varnish would cause 3.7.1 to fail, yet pre-3.7.1 would work.

Has anyone tried reverting to 3.6.x without changing anything serverside? If that version works, it would mean fatal changes have been made in WordPress version 3.7.x that cause it to behave differently and cause the cookie error.

OK, thanks to @jgjh151 sharing his Varnish config file, I think I’ve got this mystery solved.

So…it is definitely an issue with Varnish configuration, but, something also did change in WordPress 3.7, but it was a bug fix. So due to a bug in wp-login.php in pre-WordPress 3.7, an incorrect configuration in Varnish did not cause any issues with WordPress because the bug in WordPress caused wp-login.php to not actually check the test cookie.

Here’s the line in Varnish config that’s causing the issue:

if ( (!(req.url ~ "(wp-(login|admin)|login)")) || (req.request == "GET") ) {

It needs to be:

if ( (!(req.url ~ "(wp-(login|admin)|login)")) ) {

Now for the quick explanation. In WordPress 3.6.1 (and earlier I assume), the req.request == "GET" part of Varnish config was preventing wp-login.php from writing the test cookie when the form was loaded (called with a GET), but the code that checked if the test cookie was actually set (when wp-login.php called via a POST) never ran if the user’s credentials were good. That is, on the form post, if the user authenticated properly, then the user was redirected to wp-admin without this code being run:

if ( isset($_POST['testcookie']) && empty($_COOKIE[TEST_COOKIE]) )

In WordPress 3.7, this bug in wp-login.php was fixed, moving the redirect to wp-admin on successful login *after* the cookie check code above. So now the cookie check is actually run. So if Varnish is deleting the test cookie on GET request to the wp-login.php, this won’t prevent a login with WordPress 3.6.1 or older, but now that WordPress is actually checking for the test cookie, it will fails the cookie check as it should.

So even though something did change in WordPress, it’s due to misconfiguration of Varnish. (and any other proxy/caching server I imagine)

To use Varnish with WordPress, at least Varnish 3, it’s best to follow the sample template here:

Varnish 3.0 templates – WordPress, Drupal, Joomla and Fork CMS VCL templates

And specifically for WordPress:

fetch/wordpress.vcl
receive/wordpress.vcl

Great job! I think you guys nailed it. I have sent this explanation to my webhost hoping they can correct their configuration too. That would allow me to get to the admin functions again.
Is there a way to temporarily hack the 3.7.1 wp-login.php en wp-admin.php to allow me to do some long overdue administrator tasks?

@scriptrunner (Doug Sparling): Thank you very much for that detailed explanation. Bookmarked for future use. ??

@esmi – you’re welcome!

Also, one more bit of information. If someone says they get the

ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.

message the first time they try to login, and then they can login successfully the second time, that’s a sure sign that a proxy is deleting cookies on GET requests. WordPress (wp-login.php) will also run the same code to set the test cookie on a POST but it can’t read the cookie until the next request. (in this case, a second login form post)

I have the same problem from 3 days now on an arabic version of wordpress site but the English wordpress is fine. both running on the same server .

and both are the latest 3.7.1 , i made no core update for the last 3 weeks , now i cant login same cookie error on the arabic website .