This change adds a new parent_domain option to AuthTktAuthenticationPolicy which sets the authentication cookie as a wildcard cookie on the parent domain. This is useful if you have multiple sites sharing the same domain.
Add a parent_domain option for auth_tkt policy
This change adds a new ``parent_domain`` option to
``AuthTktAuthenticationPolicy`` which sets the authentication cookie as
a wildcard cookie on the parent domain. This
is useful if you have multiple sites sharing the same domain.
Does this actually work? I was under the impression that a subdomain could not set a cookie for a parent domain for security reasons.
There is some discussion on this on SO: http://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com
There are a couple of relevant standards here:
Setting cookies on the parent domain is incredibly useful if you want to share a cookie between multiple services running within a domain. One example of a popular service that uses this is google analytics. If I click around a bit on www.bonprix.de for example I start with GA cookies for just www.bonprix.de but after a few clicks I also get GA cookies for .bonprix.de, which helps google uses to track visits across multiple sites in the same domain.
I'm not sure if this warrants creating an issue or not, but when using the parent_domain=True option on AuthTktAuthenticationPolicy, the AuthTktCookieHelper._get_cookies() function still send a Set-Cookie for the domain without the leading '.', since it sends it without a domain= key (https://github.com/znanja/pyramid/blob/master/pyramid/authentication.py#L868)
This causes some problems for example when the user logs in on domain.com, does to sub.domain.com, and logs out again on domain.com. This is a bit of a convoluted path, but you can see other potential issues that might arise.
I would say if parent_domain=True, don't send the first 'Set-Cookie' header without the domain= key. RFC 6265 section 5.1.3 quoted above seems to allow for this.
Just wanted to note that this has the same problem as an earlier pull request I submitted: #450. When the domain has a multi-part public suffix such as "example.co.uk" it will set the cookie on ".co.uk" instead of the correct "example.co.uk".
Here is an example test that fails:
helper = self._makeOne('secret', parent_domain=True)
request = self._makeRequest()
request.domain = 'example.co.uk'
result = helper.remember(request, 'other')
self.assertTrue(result.endswith('; Domain=example.co.uk; Path=/'))
@landreville Unfortunately there is not much that Pyramid can do. We don't want to depend on hardcoding the list of "top-level" domain names, nor do we want to depend on packages that do this already.
This is really the responsibility of the developer to make sure their app is not doing this. They know where it will be hosted, and have control over the settings.