add admin notice when invalid COOKIE_DOMAIN is set

[superdav42]

Summary by CodeRabbit

• New Features
  • Adds automatic configuration validation that detects COOKIE_DOMAIN issues on multisite subdomain installs and displays a prominent warning in the Network Admin with a guidance link.
  • Runs this check during admin initialization so network administrators see timely alerts about potential authentication/session problems.

[coderabbitai]

Walkthrough

Adds a new admin Configuration_Checker class that validates COOKIE_DOMAIN on subdomain multisite installs and posts a network-admin warning when COOKIE_DOMAIN is defined as false. The main WP_Ultimo loader is updated to initialize this checker during admin component loading.

Changes

Cohort / File(s)	Summary
New Configuration Checker inc/admin/class-configuration-checker.php	Adds WP_Ultimo\Admin\Configuration_Checker (uses \WP_Ultimo\Traits\Singleton) with init(): void that registers network_admin_init, and check_cookie_domain_configuration(): void which checks is_subdomain_install() and defined('COOKIE_DOMAIN') && COOKIE_DOMAIN === false, then pushes a network-admin warning notice via the WP_Ultimo notice system.
Main Class Integration inc/class-wp-ultimo.php	Calls WP_Ultimo\Admin\Configuration_Checker::get_instance() during admin component loading (inside load_public_apis() / is_admin() path), adding the checker initialization to admin start-up.

Sequence Diagram(s)

sequenceDiagram
  participant Browser
  participant WP_Ultimo as WP_Ultimo Loader
  participant Config as Configuration_Checker
  participant WPAdmin as WP admin init
  participant Notices as WP_Ultimo()->notices

  Browser->>WP_Ultimo: Request admin page
  WP_Ultimo->>WP_Ultimo: load_public_apis() (is_admin block)
  WP_Ultimo->>WPAdmin: require admin.php
  WP_Ultimo->>Config: Configuration_Checker::get_instance()
  WPAdmin->>Config: network_admin_init (hook runs)
  Config->>Config: check_cookie_domain_configuration()
  alt COOKIE_DOMAIN defined and === false on subdomain install
    Config->>Notices: push network-admin warning (cookie_domain_false_warning)
    Notices->>Browser: warning shown in network-admin
  else Otherwise
    Config->>Notices: no action
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• New class contains straightforward checks and notice construction.
• Integration is a single initialization call.
• Pay attention to:
  • Correct hook placement (network_admin_init) and execution timing.
  • Message localization and escaping in the notice payload.
  • Singleton trait usage and autoload/namespace consistency.

Possibly related issues

• Add admin notice when COOKIE_DOMAIN is empty #202: Implements the requested COOKIE_DOMAIN false detection and network-admin warning for subdomain multisite installations.

Poem

🐰 I sniffed the cookies on the admin lawn,
Found a false domain at early dawn,
I raised a bright banner, a warning to share,
So sessions stay steady and logins play fair. 🍪✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding an admin notice when COOKIE_DOMAIN is invalidly configured, which aligns with the new Configuration_Checker class implementation.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-notice

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

inc/admin/class-configuration-checker.php (2)

44-68: Consider performance optimization and broader validation.

The check runs on every network_admin_init request. Consider these improvements:

1. Deduplication: Verify that the notices system (with identifier 'cookie_domain_false_warning') prevents duplicate notices across page loads to avoid performance overhead.

2. Broader validation: The check only catches COOKIE_DOMAIN === false. Consider also validating:

   • Empty strings: COOKIE_DOMAIN === ''
   • Invalid domain formats
   • Domains that don't match the network's domain structure

3. Check frequency: If the notice is persistent, consider running this check less frequently (e.g., only on specific admin pages or with transient caching).

For the broader validation, you could extend the check:

 		// Check if COOKIE_DOMAIN is defined and set to false
-		if (defined('COOKIE_DOMAIN') && COOKIE_DOMAIN === false) {
+		if (defined('COOKIE_DOMAIN') && (COOKIE_DOMAIN === false || COOKIE_DOMAIN === '')) {
 			$message = sprintf(
 				// translators: %1$s is the opening code tag, %2$s is the closing code tag, %3$s is a link to WordPress documentation
-				__('Your <strong>wp-config.php</strong> has %1$sCOOKIE_DOMAIN%2$s set to %1$sfalse%2$s, which can cause authentication and session issues on subdomain multisite installations. Please remove this line from your wp-config.php file or set it to an appropriate value. %3$s', 'ultimate-multisite'),
+				__('Your <strong>wp-config.php</strong> has %1$sCOOKIE_DOMAIN%2$s set to an invalid value, which can cause authentication and session issues on subdomain multisite installations. Please remove this line from your wp-config.php file or set it to an appropriate value. %3$s', 'ultimate-multisite'),

---

53-59: HTML in translatable strings is acceptable but be aware of XSS risks.

The message includes HTML tags (<code>, <a>, <strong>) within the translatable string. While this is a common WordPress pattern and generally acceptable, be aware that if translators have malicious intent, they could inject harmful HTML.

This is a minor concern given that translation files are typically controlled by the plugin maintainer, but it's worth noting for security awareness.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fa3b754 and a5f479f.

📒 Files selected for processing (2)

• inc/admin/class-configuration-checker.php (1 hunks)
• inc/class-wp-ultimo.php (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

inc/admin/class-configuration-checker.php (1)

inc/class-wp-ultimo.php (2)

• WP_Ultimo (23-948)
• init (115-213)

inc/class-wp-ultimo.php (1)

inc/admin/class-configuration-checker.php (1)

• Configuration_Checker (20-69)

🔇 Additional comments (2)

inc/class-wp-ultimo.php (1)

581-584: LGTM! Consistent integration pattern.

The Configuration_Checker is initialized following the same pattern as other components in load_extra_components(). The placement after Network_Usage_Columns is appropriate for admin-related functionality.

However, this depends on the Singleton trait properly initializing the instance (see concerns raised in the Configuration_Checker file review).

inc/admin/class-configuration-checker.php (1)

20-33: The original review comment is incorrect—the Singleton trait does automatically call init().

The \WP_Ultimo\Traits\Singleton trait has a private constructor and a get_instance() method that explicitly calls static::$instance->init() after instantiation (line 36 of the trait). This pattern guarantees that when Configuration_Checker::get_instance() is invoked, the init() method will execute and register the hook on line 32. The code is correct as written.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

inc/admin/class-configuration-checker.php (1)

30-33: Use network_admin_init hook for better performance.

The method registers on admin_init but check_cookie_domain_configuration() immediately exits if not in network admin (Line 45). This causes the method to run unnecessarily on every sub-site admin page load.

Apply this diff:

 	public function init(): void {
 
-		add_action('admin_init', [$this, 'check_cookie_domain_configuration']);
+		add_action('network_admin_init', [$this, 'check_cookie_domain_configuration']);
 	}

With this change, the guard clause at lines 45-47 becomes redundant (though harmless as defensive coding).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a5f479f and c9280f0.

📒 Files selected for processing (2)

• inc/admin/class-configuration-checker.php (1 hunks)
• inc/class-wp-ultimo.php (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

inc/class-wp-ultimo.php (1)

inc/admin/class-configuration-checker.php (1)

• Configuration_Checker (20-72)

inc/admin/class-configuration-checker.php (1)

inc/class-wp-ultimo.php (1)

• WP_Ultimo (23-948)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: cypress (8.1, chrome)
• GitHub Check: cypress (8.2, chrome)

🔇 Additional comments (2)

inc/admin/class-configuration-checker.php (1)

44-71: LGTM! Clear detection logic and actionable warning message.

The method correctly identifies the problematic COOKIE_DOMAIN configuration with appropriate guards for subdomain multisite installs. The warning message is clear, provides context, and includes a documentation link with proper security attributes.

inc/class-wp-ultimo.php (1)

427-430: LGTM! Clean integration of the Configuration_Checker.

The initialization is appropriately placed in the admin section of load_public_apis(), follows the singleton pattern consistent with other components in this file, and includes a clear descriptive comment.

[superdav42]

Actionable comments posted: 0

🧹 Nitpick comments (1)

inc/admin/class-configuration-checker.php (1)> 30-33: Use network_admin_init hook for better performance.

The method registers on admin_init but check_cookie_domain_configuration() immediately exits if not in network admin (Line 45). This causes the method to run unnecessarily on every sub-site admin page load.
Apply this diff:

 	public function init(): void {
 
-		add_action('admin_init', [$this, 'check_cookie_domain_configuration']);
+		add_action('network_admin_init', [$this, 'check_cookie_domain_configuration']);
 	}

With this change, the guard clause at lines 45-47 becomes redundant (though harmless as defensive coding).

📜 Review details
Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits
Reviewing files that changed from the base of the PR and between a5f479f and c9280f0.

📒 Files selected for processing (2)

• inc/admin/class-configuration-checker.php (1 hunks)
• inc/class-wp-ultimo.php (1 hunks)

🧰 Additional context used
🧬 Code graph analysis (2)
inc/class-wp-ultimo.php (1)

inc/admin/class-configuration-checker.php (1)

• Configuration_Checker (20-72)

inc/admin/class-configuration-checker.php (1)

inc/class-wp-ultimo.php (1)

• WP_Ultimo (23-948)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: cypress (8.1, chrome)
• GitHub Check: cypress (8.2, chrome)

🔇 Additional comments (2)

there is no 'network_admin_init' hook. Unless you can show me the documentation