Hi, I have a couple of questions about cookies. I'm using v0.9.840 on my localhost. The following behaviour is consistently reproducible, and maybe as designed, but I do not understand it. Any help would be much appreciated! The value of xwiki.authentication.cookiedomains value has some effects on persistent login cookie creation, which in turn affects whether XWikiAuthServiceImpl.authenticate(user, password,context) is called on every page view or not. Below is the outcome of some experiments with different cookiedomains values. Between each test I shut down Tomcat, wiped my cookies for localhost, changed xwiki.cfg as described and relaunched tomcat: xwiki.authentication.cookiedomains=localhost . persistent login cookies created: no (only style and JSESSIONID) . authentication on every page view: no, XWikiAuthServiceImpl.authenticate(user, password,context) is ONLY CALLED ONCE (when loging in) xwiki.authentication.cookiedomains= . persistent login cookies created: yes (rememberme, validation, password, username, style and JSESSIONID) . authentication on every page view: yes, XWikiAuthServiceImpl.authenticate(user, password,context) is called on every page view. xwiki.authentication.cookiedomains=calh (or any subtring of 'localhost') . persistent login cookies created: no (only style and JSESSIONID) . authentication on every page view: no, XWikiAuthServiceImpl.authenticate(user, password,context) is ONLY CALLED ONCE (when loging in) xwiki.authentication.cookiedomains=some_other_string (that isn't a substring of 'localhost') . persistent login cookies created: yes (rememberme, validation, password, username, style and JSESSIONID) . authentication on every page view: yes, XWikiAuthServiceImpl.authenticate(user, password,context) is called on every page view. I realise I'm probably using this setting incorrectly, excuse my lack of knowledge of cookies... but even so, this behaviour seems odd to me: 1. Why are the persistent login cookies not created when the cookiedomains value is a substring of the server name? What I think is happening from reading the code: in my examples the cookies are assigned a domain name that doesn't match the actual domain of the server (I guess 'localhost' is not a valid domain name for machine localhost :), so they are never set properly. The XWiki code has a basic check to ensure the desired cookie domain has some correlation with the server name and ignores it not... but it is fooled if the value is a substring of the hostname. Is this a standard way of doing things or is there room for improvement here? 2. Looking at the code I can see we need the persistent login cookies to extract the username & password in order to call XWikiAuthServiceImpl.authenticate with valid params. But the way it's currently written, a user can bypass XWikiAuthServiceImpl.authenticate if the persistent login cookies are not set: if I have a valid session cookie, I can just delete my persistent login cookies and browse the wiki without XWikiAuthServiceImpl.authenticate being called. Is this expected? This thread would suggest not: http://mail-archive.objectweb.org/xwiki-dev/2006-02/msg00027.html I have spent some time looking at the code, but don't have sufficient understanding of the expected flow through (or even the purpose of) the numerous checkAccess, checkAuth, processLogin, checkLogin and authenticate methods, nor their expected interaction with cookies. Thanks for any info! On a side note, is it possible to configure things so that "http://myHostName" and "http://myHostName.myDomain.com" share XWiki cookies? Regards, Robin