You write in your question:
they face the issue that they can't login and no error message is displayed
This is a good indicator that you have a cookie issue. This error pattern is just that the login was successful for Magento (username and password did match) but there is no session to keep the successful login. Hence the login page is displayed again with no error message.
My research leads me to believe that this is a cookie problem, stemming from the fact that the example.com cookie is set, and then causes problems when the user is redirected to sub.example.com
You're pretty close, here is what happens.
- You have not specified a cookie-domain for both sites.
- Not specifying a cookie-domain means, the browser when it receives a cookie will file it under the domain of the request.
- The login will then set the session ID to example.com. In that session the user is logged in.
- After redirect a new session ID will be set to sub.example.com. In that new session the user is not logged in.
- If the browser requests a page under sub.example.com then, it needs to decide which of the two same-named cookies for the session is to be taken: The one for example.com or the one for sub.example.com? And if both in which order? Answer: You can't say as browsers vary here.
- And not only the browser, also the server needs to decide here. So what happens here? Answer: For PHP, it can't handle two cookie values with the same name. It only takes the first one. And which one that is, you can't say (see browsers).
- So this is already flawed. No wonder it won't work until you start fresh and remove existing cookies under both domains.
This is what you experienced and hopefully the listing sheds some light.
So how to handle this in your case?
My suggestion would be to configure the cookie domains as "example.com" for all the two sites in your case. That means that both sites will share their session which I assume is what you're looking for.
Not setting the cookie-domain in the first place was causing you the trouble then as this resulted in two different cookie domains, but you want to share the session cookie, so you want one session cookie and not two.
Also: Set the cookie to HTTP only so it can't be spoofed in a browser-script.
Changes in your configuration:
- Cookie domain: example.com (was: (empty))
- Use HTTP only: Yes (was: No)
My issue is solved now!!!
I have deleted Application Load Balancer from AWS EC2 and followed below steps to create Classic Load Balancer with cookies 3600 as same was in my magento site.
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under LOAD BALANCING, choose Target Groups.
Select the target group.
On the Description tab, choose Edit attributes.
On the Edit attributes page, do the following:
Select Enable load balancer generated cookie stickiness.
For Stickiness duration, specify a value between 1 second and 7 days.
Choose Save.
Best Answer
Having a look at the function:
it looks like path and domain are missing. Also the date string is not in the correct format (see: https://stackoverflow.com/questions/11136372/which-date-formats-can-i-use-when-specifying-the-expiry-date-when-setting-a-cook)
The function is not used anywhere in core Magento, probably that's why nobody noticed it was broken for 8 years.
I was able to fix this by redefining the function to use
Mage.Cookies.setwhich takes care of all required parameters:While we're at it,
Mage.Cookies.setusesDate.toGMTString()which is deprecated and while it's still widely supported, it will not work in future browser versions. Changing it totoUTCStringmakes the cookie functions future proof.