[_ck_]

== Security Considerations when Integrated ==

If for some reason you are on a shared server that uses subdomains and you do not own/control the entire domain (ie. myblog.example.com johnsblog.example.com) or your URL has a tilde in it (“~”) ie. example.com/~myblog/ and you do not own the entire domain (ie. earthlink.com) my cookie advice above is not a good idea and you will have to customize – ask for help.

The reason why is related to some of the cookie changes in WordPress 2.6 – essentially cookies set to the

domain of “.example.com” will get transmitted to the server for ANY subdomain on the server (myblog.example.com will also see the cookies for johnsblog.example.com) The same thing goes for the cookie path in that cookies set to the path of webroot (“/”) will be sent to both example.com/~myblog/ as well as example.com/~johnsblog/ – malicious code on another subdomain or path could snoop on the cookies and steal your admin access to your blog/forum or pretend to be another user.

WordPress 2.6 (and a future version of bbPress) use separate cookies for admin access that can be locked down to very specific paths as well as different cookies for SSL access. This is an attempt to make sure that cookies which give admin access get transmitted as little as possible and only to the specific server/account that needs it so snooping hackers can’t spoof you.

Note this is only a concern if you do NOT control your own server (ie. other people can run PHP on YOUR domain name) or perhaps if you run a WPMU setup. Otherwise, setting the dotted cookie domain and webroot path is the simplest way to get integration cookie sync.