Permalink
Browse files

From the code:

        # While Chrome, IE, and Firefox can cope, Opera (at least) cannot
        # cope with a port number in the cookie domain when the URL it
        # receives the cookie from does not also have that port number in it
        # (e.g via a proxy).  In the meantime, HTTP_HOST is sent with port
        # number, and neither Firefox nor Chrome do anything with the
        # information when it's provided in a cookie domain except strip it
        # out.  So we strip out any port number from the cookie domain
        # aggressively to avoid problems.  See also
        # #131

Closes #131
  • Loading branch information...
mcdonc committed Feb 22, 2011
1 parent 182aa74 commit 0fd8eab45796417bbd8653d3f4e952135d4f8960
Showing with 33 additions and 0 deletions.
  1. +6 −0 CHANGES.txt
  2. +12 −0 pyramid/authentication.py
  3. +15 −0 pyramid/tests/test_authentication.py
View
@@ -18,6 +18,12 @@ Features
- Added ``pyramid.i18n.make_localizer`` API (broken out from
``get_localizer`` guts).
+Bug Fixes
+---------
+
+- Don't send port numbers along with domain information in cookies set by
+ AuthTktCookieHelper (see https://github.com/Pylons/pyramid/issues/131).
+
1.0 (2011-01-30)
================
View
@@ -366,6 +366,18 @@ def _get_cookies(self, environ, value, max_age=None):
cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME'))
+ # While Chrome, IE, and Firefox can cope, Opera (at least) cannot
+ # cope with a port number in the cookie domain when the URL it
+ # receives the cookie from does not also have that port number in it
+ # (e.g via a proxy). In the meantime, HTTP_HOST is sent with port
+ # number, and neither Firefox nor Chrome do anything with the
+ # information when it's provided in a cookie domain except strip it
+ # out. So we strip out any port number from the cookie domain
+ # aggressively to avoid problems. See also
+ # https://github.com/Pylons/pyramid/issues/131
+ if ':' in cur_domain:
+ cur_domain = cur_domain.split(':', 1)[0]
+
cookies = [
('Set-Cookie', '%s="%s"; Path=%s%s%s' % (
self.cookie_name, value, self.path, max_age, self.static_flags)),
@@ -580,6 +580,21 @@ def test_remember_wild_domain_disabled(self):
self.assertTrue(result[1][1].endswith('; Path=/; Domain=localhost'))
self.failUnless(result[1][1].startswith('auth_tkt='))
+ def test_remember_domain_has_port(self):
+ plugin = self._makeOne('secret', wild_domain=False)
+ request = self._makeRequest()
+ request.environ['HTTP_HOST'] = 'example.com:80'
+ result = plugin.remember(request, 'other')
+ self.assertEqual(len(result), 2)
+
+ self.assertEqual(result[0][0], 'Set-Cookie')
+ self.assertTrue(result[0][1].endswith('; Path=/'))
+ self.failUnless(result[0][1].startswith('auth_tkt='))
+
+ self.assertEqual(result[1][0], 'Set-Cookie')
+ self.assertTrue(result[1][1].endswith('; Path=/; Domain=example.com'))
+ self.failUnless(result[1][1].startswith('auth_tkt='))
+
def test_remember_string_userid(self):
plugin = self._makeOne('secret')
request = self._makeRequest()

0 comments on commit 0fd8eab

Please sign in to comment.