2019-03-09, 02:25 PM
Okay although this is not really a bug i'd like to share the solution I found.
The issue was as I already said independent of a forum theme (same with default theme).
When I inspected how the post_key is generated and validated I considered that it's always dependent on the cookie "sid" ($session->sid) which changed in the MyBB 1.8.20 update (before 1.8.20 the key was generated with $session->useragent instead).
If you have two MyBB forums with the same domain but different subdomain (e.g. forum.com and dev.forum.com), the cookies are somehow used crosssitewise even if the cookie-domain in ACP settings are set to forum.com instead of .forum.com (as it is recommended).
Is it intended that when I look up my browser cookies, the cookie domain is .forum.com even though I have forum.com (without leading dot) set in the ACP settings?
The issue was as I already said independent of a forum theme (same with default theme).
When I inspected how the post_key is generated and validated I considered that it's always dependent on the cookie "sid" ($session->sid) which changed in the MyBB 1.8.20 update (before 1.8.20 the key was generated with $session->useragent instead).
If you have two MyBB forums with the same domain but different subdomain (e.g. forum.com and dev.forum.com), the cookies are somehow used crosssitewise even if the cookie-domain in ACP settings are set to forum.com instead of .forum.com (as it is recommended).
Is it intended that when I look up my browser cookies, the cookie domain is .forum.com even though I have forum.com (without leading dot) set in the ACP settings?