cookieless subdomain locked out of wp-admin

[Marty]

This problem started when I tried to initiate a cookieless subdomain with the following changes to the wp-config file:

define('COOKIE_DOMAIN', 'www.opnutrition.com');
define('WP_CONTENT_URL', 'https://static.opnutrition.com/wp-content');
define('WP_PLUGIN_URL', 'https://opnutrition.com/wp-content/plugins');

and this change to the .htaccess file:

RedirectMatch 301 ^/wp-content/uploads/(.*)$ http://static.opnutrition.com/$1

Even though I have abandoned the attempt (the above code was removed), I can no long create a new secure .htaccess file without it preventing the loading of most of my images on the site.  Also, whenever I clear my browser cookies, I am locked out of wp-admin.  The only way I can get back into the dashboard is to rollback the wp-config file with a server restore for the date 2-12-14.  Mind you, the current wp-config file and the one on the 12th are exactly the same.  In order to restore all the images on the site, I also have to rollback the .htaccess file to the 12th.  I know this is a cookie related problem but I don’t know how to correct it.  Server tech support claims they cleared the domain of cookies.  If so it did not change anything.  I have uninstalled and reinstalled BPS, deleting all the BPS .htaccess files to start clean; however, when I reinstalled nothing changed.  I didn’t expect it to because it just bought back all the old settings and custom codes.  Any suggestions would be greatly appreciated.

[AITpro Admin]

FTP to your website and delete your root .htaccess file and wp-admin .htaccess file.  Log back into your website and check that your WordPress Settings are correct.  Settings >>> General.  Check that your wp-config.php file has all the correct config code.

[AITpro Admin]

When you use the WP_CONTENT_URL constant you are telling WordPress that image/media files are stored on the static subdomain so you would not need any sort of additional .htaccess redirect code.  I noticed that you had https instead of just http.  That could have been the problem.  You would not need to add a plugins define constant when setting a cookie domain.

define('COOKIE_DOMAIN', 'www.opnutrition.com');
define('WP_CONTENT_URL', 'http://static.opnutrition.com/wp-content');

All media files are uploaded and stored on the static.opnutrition.com website and the WP_CONTENT_URL constant in your main site’s wp-config.php file will use that URL for where to look for those media files.  Your image URL’s on your main site will point to the static subdomain.  Cookies will not be included in the Request.

[AITpro Admin]

Actually I just tested this setup and I see why you added the plugins constant.  To be honest with you this wreaks massive havoc with WordPress and I definitely do NOT recommend using the Cooke Domain constant.  The whole cookie domain thing is ridiculously blown out of proportion anyway  (minimal benefit/maximum headaches) so no big loss.

[Marty]

I agree which is why I abandoned the entire thing and removed all the code changes.  But my problem remains.  Even though the wp-config file is back to normal, I’m getting locked out of admin whenever I clear my browser cookies and the loading of images on the site is being blocked.  It’s like the .htaccess file is still adversely reacting to changes that no longer exist.

[AITpro Admin]

Regarding deleting cookies – If I’m not mistaken I believe that is normal WordPress functionality/behavior.
Regarding images not loading – post a security log entry that is related to an image file from your BPS Security Log.

What happens when you do the standard BPS Troubleshooting steps?

http://forum.ait-pro.com/forums/topic/read-me-first-free/

1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button.  See Custom Code Note if doing this step works.

[Marty]

Same thing, I get locked out and I have to restore the .htaccess and wp-config files through a server rollback.  Here’s the lockout notice:

Access restricted http://blog-en.openalfa.com/how-to-serve-static-content-in-wordpress-from-a-cookiel

It used to just say “Access restricted” but then it started carrying the URL to a post I was reading about creating cookieless subdomains.  Why it would do that makes no sense other than BPS is reading/holding on to cookies in some way.  BPS is stuck in the past and holding on to nonexistence old information.  Also, why does this lockout login popup not take any legitimate user login info?

There is nothing in the error log referencing either the lock-out or blocked/missing images.

[AITpro Admin]

So are you saying that the same problem occurs when you Deactivate Root Folder BulletProof Mode?  BPS does not do anything with cookies.

“BPS is stuck in the past and holding on to nonexistence old information.” – not possible.  BPS always works in the present and is not capable of doing something like that.  If you Deactivate Root Folder BulletProof Mode then BPS is no longer a factor in the equation – BPS is Off – there is only On or Off.

What I recommend you do is go through all the changes you made and make sure that you have put everything back the way it was and then if you are using other plugins that do something with cookies then take a look at those plugins – BPS does not do anything with cookies.

If you have a caching plugin clear your plugin cache, etc.

[Author]

Posts