Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Add a parent_domain option for auth_tkt policy

This change adds a new ``parent_domain`` option to
``AuthTktAuthenticationPolicy`` which sets the authentication cookie as
a wildcard cookie on the parent domain. This
is useful if you have multiple sites sharing the same domain.
  • Loading branch information...
commit 188aa7ee1d4cbc55d965a452d45201852b46df58 1 parent 92f0934
@wichert wichert authored
View
4 CHANGES.txt
@@ -15,6 +15,10 @@ Features
``pyramid.config.Configurator.add_static_view``. This allows
externally-hosted static URLs to be generated based on the current protocol.
+- The ``AuthTktAuthenticationPolicy`` has a new ``parent_domain`` option to
+ set the authentication cookie as a wildcard cookie on the parent domain. This
+ is useful if you have multiple sites sharing the same domain.
+
- The ``AuthTktAuthenticationPolicy`` now supports IPv6 addresses when using
the ``include_ip=True`` option. This is possibly incompatible with
alternative ``auth_tkt`` implementations, as the specification does not
View
40 pyramid/authentication.py
@@ -511,9 +511,23 @@ class AuthTktAuthenticationPolicy(CallbackAuthenticationPolicy):
``wild_domain``
Default: ``True``. An auth_tkt cookie will be generated for the
- wildcard domain.
+ wildcard domain. If your site is hosted as ``example.com`` this
+ will make the cookie available for sites underneath ``example.com``
+ such as ``www.example.com``.
Optional.
+ ``parent_domain``
+
+ Default: ``False``. An auth_tkt cookie will be generated for the
+ parent domain of the current site. For example if your site is
+ hosted under ``www.example.com`` a cookie will be generated for
+ ``.example.com``. This can be useful if you have multiple sites
+ sharing the same domain. This option supercedes the ``wild_domain``
+ option.
+ Optional.
+
+ This option is available as of :app:`Pyramid` 1.5.
+
``hashalg``
Default: ``md5`` (the literal string).
@@ -565,7 +579,8 @@ def __init__(self,
http_only=False,
wild_domain=True,
debug=False,
- hashalg=_marker
+ hashalg=_marker,
+ parent_domain=False,
):
if hashalg is _marker:
hashalg = 'md5'
@@ -603,6 +618,7 @@ def __init__(self,
path=path,
wild_domain=wild_domain,
hashalg=hashalg,
+ parent_domain=parent_domain,
)
self.callback = callback
self.debug = debug
@@ -800,7 +816,7 @@ class AuthTktCookieHelper(object):
def __init__(self, secret, cookie_name='auth_tkt', secure=False,
include_ip=False, timeout=None, reissue_time=None,
max_age=None, http_only=False, path="/", wild_domain=True,
- hashalg='md5'):
+ hashalg='md5', parent_domain=False):
self.secret = secret
self.cookie_name = cookie_name
self.include_ip = include_ip
@@ -811,6 +827,7 @@ def __init__(self, secret, cookie_name='auth_tkt', secure=False,
self.http_only = http_only
self.path = path
self.wild_domain = wild_domain
+ self.parent_domain = parent_domain
self.hashalg = hashalg
static_flags = []
@@ -850,16 +867,19 @@ def _get_cookies(self, environ, value, max_age=None):
cookies = [
('Set-Cookie', '%s="%s"; Path=%s%s%s' % (
- self.cookie_name, value, self.path, max_age, self.static_flags)),
- ('Set-Cookie', '%s="%s"; Path=%s; Domain=%s%s%s' % (
- self.cookie_name, value, self.path, cur_domain, max_age,
- self.static_flags)),
+ self.cookie_name, value, self.path, max_age, self.static_flags))
]
- if self.wild_domain:
- wild_domain = '.' + cur_domain
+ domains = []
+ if self.parent_domain and cur_domain.count('.') > 1:
+ domains.append('.' + cur_domain.split('.', 1)[1])
+ else:
+ domains.append(cur_domain)
+ if self.wild_domain:
+ domains.append('.' + cur_domain)
+ for domain in domains:
cookies.append(('Set-Cookie', '%s="%s"; Path=%s; Domain=%s%s%s' % (
- self.cookie_name, value, self.path, wild_domain, max_age,
+ self.cookie_name, value, self.path, domain, max_age,
self.static_flags)))
return cookies
View
24 pyramid/tests/test_authentication.py
@@ -947,6 +947,30 @@ def test_remember_wild_domain_disabled(self):
self.assertTrue(result[1][1].endswith('; Path=/; Domain=localhost'))
self.assertTrue(result[1][1].startswith('auth_tkt='))
+ def test_remember_parent_domain(self):
+ helper = self._makeOne('secret', parent_domain=True)
+ request = self._makeRequest()
+ request.environ['HTTP_HOST'] = 'www.example.com'
+ result = helper.remember(request, 'other')
+ self.assertEqual(len(result), 2)
+
+ self.assertEqual(result[0][0], 'Set-Cookie')
+ self.assertTrue(result[0][1].endswith('; Path=/'))
+ self.assertTrue(result[0][1].startswith('auth_tkt='))
+
+ self.assertEqual(result[1][0], 'Set-Cookie')
+ self.assertTrue(result[1][1].endswith('; Path=/; Domain=.example.com'))
+ self.assertTrue(result[1][1].startswith('auth_tkt='))
+
+ def test_remember_parent_domain_supercedes_wild_domain(self):
+ helper = self._makeOne('secret', parent_domain=True, wild_domain=True)
+ request = self._makeRequest()
+ request.environ['HTTP_HOST'] = 'www.example.com'
+ result = helper.remember(request, 'other')
+ self.assertEqual(len(result), 2)
+ self.assertTrue(result[0][1].endswith('; Path=/'))
+ self.assertTrue(result[1][1].endswith('; Path=/; Domain=.example.com'))
+
def test_remember_domain_has_port(self):
helper = self._makeOne('secret', wild_domain=False)
request = self._makeRequest()
Please sign in to comment.
Something went wrong with that request. Please try again.