Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate auth_tkt cookie is set if domain has a dot #3609

Closed
nandoflorestan opened this issue Aug 29, 2020 · 2 comments
Closed

Duplicate auth_tkt cookie is set if domain has a dot #3609

nandoflorestan opened this issue Aug 29, 2020 · 2 comments

Comments

@nandoflorestan
Copy link

nandoflorestan commented Aug 29, 2020
edited

Pyramid is creating a second, undesired auth_tkt cookie, without a domain -- if the domain name contains a dot.

I am using Pyramid 1.10.4, the latest.

config.set_authentication_policy(
    AuthTktAuthenticationPolicy(
        secret,
        callback=effective_principals,
        wild_domain=False,
        parent_domain=False,
        secure=secure,
        samesite="strict",
    )
)

There is nothing in the above code that might indicate more than one domain. Therefore I expect only one auth_cookie to be created, but in fact 2 cookies are sent, one of them without a domain. This means 2 redundant cookies keep traveling up and down the wire, where only one is needed.

Debugging this issue, I found the following:

I edited /etc/hosts to add this line:

127.0.0.1       local.host

...because the issue only happens when the domain name contains a dot -- such as in production.

Testing on http://local.host:6543/ I saw the extra auth_tkt cookie appear when I logged in.

In order to debug this, it is necessary to restart waitress. I saw that the value of the variable "domains" is [None, 'local.host'], as you would expect from the code:

https://github.com/Pylons/pyramid/blob/1.10.4/src/pyramid/authentication.py#L919

But at the end, when profile.get_headers(value, **kw) was called with kw == {'domains': [None, 'local.host']}, it returned this:

[('Set-Cookie', 'auth_tkt=5cd21111c756ca02499eb331385ca6730e64d9f4fd21e05b55c39235b5bcb14d9e7d6987b2e7327e3e68315bf8665bd9e11c55af7cfacc6a9f25d33838e4d2d55f48f34a1!userid_type:int; Path=/; SameSite=strict'), ('Set-Cookie', 'auth_tkt=5cd21111c756ca02499eb331385ca6730e64d9f4fd21e05b55c39235b5bcb14d9e7d6987b2e7327e3e68315bf8665bd9e11c55af7cfacc6a9f25d33838e4d2d55f48f34a1!userid_type:int; Domain=local.host; Path=/; SameSite=strict')]

The above contains 2 cookies. The one without a domain is undesired.

profile is a webob.cookies.CookieProfile object. pip says my webob is up-to-date at 1.8.6.

Maybe the solution is to reposition the line I indicated above. It should be at the end, executing only if the domains list is empty -- then you add a None, otherwise you don't.

I am sorry I discussed this in the wrong ticket at first.
@nandoflorestan nandoflorestan mentioned this issue Aug 29, 2020
Merged
@mmerickel
Copy link
Member

I think this issue is solved by #3587.

@nandoflorestan
Copy link
Author

...inasmuch as the code in that ticket does away with the domains variable, yes, I agree, it should solve this problem. But I haven't tested it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mmerickel @nandoflorestan