Here is a fix for mambo and joomla 1.0 installations that workaround the www/non-www issues in joomla 1.0 (joomla 1.5 is not affected by this):

open file mod_cblogin.php :

Search for line:
[code:1] echo '<form action="'.$loginPost.'" method="post" id="mod_loginform'.$class_sfx.'" ';
[/code:1]

and insert just before that line:

[code:1] // now we need to make sure that the cookie in return of this post is sent to the most generic domain, in case multiple domains exist:
// if the current page ($return) is without www, then login should also be without www, even if live_site has www:
if (strncasecmp($loginPost, "http://www.", 11)==0 // && strncasecmp($cblogin_live_site, "http://", 7)==0
&& strncasecmp( substr($loginPost, 11), substr($return, 7), $len_live_site - 11 ) == 0 ) {
// the login return string matches the live site without 'www.' in it:
// add www subdomain as live_site has it.
$loginPost = "http://" . substr($loginPost, 11);
} elseif (strncasecmp($loginPost, "https://www.", 12)==0 // && strncasecmp($cblogin_live_site, "https://", 8)==0
&& strncasecmp( substr($loginPost, 12), substr($return, 8), $len_live_site - 12 ) == 0 ) {
$loginPost = "https://" . substr($loginPost, 12); // same for https
}
[/code:1]

I would be very thankful if you all in here could quickly test that fix, if possible today...(yes i know it's short notice)...so we can include it in RC4

Please test as follows:
- apply fix
- remove from your .htaccess the autoredirection added
- make sure your live_site has no www. in it
- go to your site with url WITH www. in front
- try logging in
- see that it fails
- apply fix
- try again logging in in same condition and see that it works
- logout
- try logging in the site without www


Thanks