Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a parent_domain option for auth_tkt policy #1028

Merged
merged 1 commit into from Jul 17, 2013

Conversation

Projects
None yet
7 participants
@wichert
Copy link
Member

commented Jun 3, 2013

This change adds a new parent_domain option to AuthTktAuthenticationPolicy which sets the authentication cookie as a wildcard cookie on the parent domain. This is useful if you have multiple sites sharing the same domain.

Add a parent_domain option for auth_tkt policy
This change adds a new ``parent_domain`` option to
``AuthTktAuthenticationPolicy`` which sets the authentication cookie as
a wildcard cookie on the parent domain. This
is useful if you have multiple sites sharing the same domain.
@mmerickel

This comment has been minimized.

Copy link
Member

commented Jun 3, 2013

Does this actually work? I was under the impression that a subdomain could not set a cookie for a parent domain for security reasons.

@bertjwregeer

This comment has been minimized.

@wichert

This comment has been minimized.

Copy link
Member Author

commented Jun 4, 2013

It works just fine and used very often.

@wichert

This comment has been minimized.

Copy link
Member Author

commented Jun 6, 2013

There are a couple of relevant standards here:

  • RFC 2109 basically says that a server can only set a cookie which would be received by that same server: cookies must be rejected of the current URI does not match the cookie parameters.
  • RFC 6265, in particular section 5.1.3 and section 5.2.3 change the domain matching rules a bit: the leading dot in a domain parameter is always ignored and cookies will always be send to subdomains. I don't know which browsers do and do not support this, so it is safest to include the loading dot.

Setting cookies on the parent domain is incredibly useful if you want to share a cookie between multiple services running within a domain. One example of a popular service that uses this is google analytics. If I click around a bit on www.bonprix.de for example I start with GA cookies for just www.bonprix.de but after a few clicks I also get GA cookies for .bonprix.de, which helps google uses to track visits across multiple sites in the same domain.

image

@tseaver

This comment has been minimized.

Copy link
Member

commented Jun 18, 2013

+1

@mcdonc mcdonc merged commit 188aa7e into Pylons:master Jul 17, 2013

@wichert wichert deleted the wichert:auth-parent-domain branch Jul 17, 2013

@enmand

This comment has been minimized.

Copy link

commented Jul 24, 2013

I'm not sure if this warrants creating an issue or not, but when using the parent_domain=True option on AuthTktAuthenticationPolicy, the AuthTktCookieHelper._get_cookies() function still send a Set-Cookie for the domain without the leading '.', since it sends it without a domain= key (https://github.com/znanja/pyramid/blob/master/pyramid/authentication.py#L868)

This causes some problems for example when the user logs in on domain.com, does to sub.domain.com, and logs out again on domain.com. This is a bit of a convoluted path, but you can see other potential issues that might arise.

I would say if parent_domain=True, don't send the first 'Set-Cookie' header without the domain= key. RFC 6265 section 5.1.3 quoted above seems to allow for this.

@landreville

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2015

Just wanted to note that this has the same problem as an earlier pull request I submitted: #450. When the domain has a multi-part public suffix such as "example.co.uk" it will set the cookie on ".co.uk" instead of the correct "example.co.uk".

Here is an example test that fails:

def test_remember_parent_domain_multipart_suffix(self):
        helper = self._makeOne('secret', parent_domain=True)
        request = self._makeRequest()
        request.domain = 'example.co.uk'
        result = helper.remember(request, 'other')
        self.assertEqual(len(result), 1)

        self.assertEqual(result[0][0], 'Set-Cookie')
        self.assertTrue(result[0][1].endswith('; Domain=example.co.uk; Path=/'))
        self.assertTrue(result[0][1].startswith('auth_tkt='))
@bertjwregeer

This comment has been minimized.

Copy link
Member

commented Apr 16, 2015

@landreville Unfortunately there is not much that Pyramid can do. We don't want to depend on hardcoding the list of "top-level" domain names, nor do we want to depend on packages that do this already.

@mmerickel

This comment has been minimized.

Copy link
Member

commented Apr 16, 2015

This is really the responsibility of the developer to make sure their app is not doing this. They know where it will be hosted, and have control over the settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.