Invalid cookie domain when using non-standard HTTP Port

[ckrjq]

Issue

When SuiteCRM is deployed with a non-standard HTTP Port (Example: http://suitecrm.example.com:8080), then the Application sets cookies with a cookie domain that includes the Port (e.g. suitecrm.example.com:8080). This is rejected by the browser (tested with Firefox).

Expected Behavior

The HTTP port is not part of the cookie domain.

Actual Behavior

The cookie is rejected because the cookie domain contains the port. Example response header:

Set-Cookie: ck_login_language_20=de_DE; expires=Wed, 12-Apr-2023 16:40:58 GMT; Max-Age=7776000; path=/; domain=suitecrm.example:8080; secure; HttpOnly

Possible Fix

In SugarApplication::setCookie, after retrieving the domain from $_SERVER["HTTP_HOST"], split the value into domain name and port, and use only the domain name for the cookie:

        if (strpos($domain, ':') >= 0) {
            // remove port
            list($domain,) = explode(':', $domain, 2);
        }

Steps to Reproduce

1. Install the application into a Server that listens on a non standard port (perhaps it's even possible to run on a standard port, and explicitly add the port into the URL -- but I have not tested if that works to replicate the but).
2. Open the network tab of the browser dev tools, open the login page, login.
3. Check the cookies in the response headers, see that they contain the HTTP Port in the "domain" attribute.

Note that the browser probably also emits a warning in the console. Firefox says:

Cookie “ck_login_language_20” has been rejected for invalid domain.

Your Environment

• SuiteCRM Version used: 7.13.0
• Browser name and version: Firefox 108.0.2
• Environment name and version: MariaDB, PHP 7
• Operating System and version: not relevant

[ckrjq]

Has anyone reviewed this? It is a bug. I also proposed a (simple) fix. Would love to get some kind of response.

Thanks.

[chris001]

Could you make a Pull Request with the changed file? Just click on the " 🖊️ pen" icon on the top right of the file to edit it, set the target to the hotfix branch, save.

[chris001]

@ckrjq I confirm this issue is a legitimate bug. When running on non-standard port, the cookies fail, and the application malfunctions.