Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Add a parent_domain option for auth_tkt policy #1028
There is some discussion on this on SO: http://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com
There are a couple of relevant standards here:
Setting cookies on the parent domain is incredibly useful if you want to share a cookie between multiple services running within a domain. One example of a popular service that uses this is google analytics. If I click around a bit on www.bonprix.de for example I start with GA cookies for just www.bonprix.de but after a few clicks I also get GA cookies for .bonprix.de, which helps google uses to track visits across multiple sites in the same domain.
I'm not sure if this warrants creating an issue or not, but when using the
This causes some problems for example when the user logs in on domain.com, does to sub.domain.com, and logs out again on domain.com. This is a bit of a convoluted path, but you can see other potential issues that might arise.
I would say if
referenced this pull request
Aug 10, 2013
Just wanted to note that this has the same problem as an earlier pull request I submitted: #450. When the domain has a multi-part public suffix such as "example.co.uk" it will set the cookie on ".co.uk" instead of the correct "example.co.uk".
Here is an example test that fails: