Add a parent_domain option for auth_tkt policy #1028

merged 1 commit into from Jul 17, 2013

7 participants

Pylons Project member

This change adds a new parent_domain option to AuthTktAuthenticationPolicy which sets the authentication cookie as a wildcard cookie on the parent domain. This is useful if you have multiple sites sharing the same domain.

@wichert wichert Add a parent_domain option for auth_tkt policy
This change adds a new ``parent_domain`` option to
``AuthTktAuthenticationPolicy`` which sets the authentication cookie as
a wildcard cookie on the parent domain. This
is useful if you have multiple sites sharing the same domain.
Pylons Project member

Does this actually work? I was under the impression that a subdomain could not set a cookie for a parent domain for security reasons.

Pylons Project member
Pylons Project member

There are a couple of relevant standards here:

  • RFC 2109 basically says that a server can only set a cookie which would be received by that same server: cookies must be rejected of the current URI does not match the cookie parameters.
  • RFC 6265, in particular section 5.1.3 and section 5.2.3 change the domain matching rules a bit: the leading dot in a domain parameter is always ignored and cookies will always be send to subdomains. I don't know which browsers do and do not support this, so it is safest to include the loading dot.

Setting cookies on the parent domain is incredibly useful if you want to share a cookie between multiple services running within a domain. One example of a popular service that uses this is google analytics. If I click around a bit on for example I start with GA cookies for just but after a few clicks I also get GA cookies for, which helps google uses to track visits across multiple sites in the same domain.


Pylons Project member


@mcdonc mcdonc merged commit 188aa7e into Pylons:master Jul 17, 2013
@wichert wichert deleted the wichert:auth-parent-domain branch Jul 17, 2013

I'm not sure if this warrants creating an issue or not, but when using the parent_domain=True option on AuthTktAuthenticationPolicy, the AuthTktCookieHelper._get_cookies() function still send a Set-Cookie for the domain without the leading '.', since it sends it without a domain= key (

This causes some problems for example when the user logs in on, does to, and logs out again on This is a bit of a convoluted path, but you can see other potential issues that might arise.

I would say if parent_domain=True, don't send the first 'Set-Cookie' header without the domain= key. RFC 6265 section 5.1.3 quoted above seems to allow for this.


Just wanted to note that this has the same problem as an earlier pull request I submitted: #450. When the domain has a multi-part public suffix such as "" it will set the cookie on "" instead of the correct "".

Here is an example test that fails:

def test_remember_parent_domain_multipart_suffix(self):
        helper = self._makeOne('secret', parent_domain=True)
        request = self._makeRequest()
        request.domain = ''
        result = helper.remember(request, 'other')
        self.assertEqual(len(result), 1)

        self.assertEqual(result[0][0], 'Set-Cookie')
        self.assertTrue(result[0][1].endswith(';; Path=/'))
Pylons Project member

@landreville Unfortunately there is not much that Pyramid can do. We don't want to depend on hardcoding the list of "top-level" domain names, nor do we want to depend on packages that do this already.

Pylons Project member

This is really the responsibility of the developer to make sure their app is not doing this. They know where it will be hosted, and have control over the settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment