Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

No cookies on other domain when using parent_domain #1072

Merged
merged 1 commit into from

2 participants

Wichert Akkerman Andreas Zeidler
Wichert Akkerman

This address a comment from @enmand on Pylons/pyramid#1028: when using parent_domain you should never set a cookie on the current domain, or you risk getting invalid behaviour when logging in on one domain and doing logout on another domain.

Andreas Zeidler

@tomster & i have pair-reviewed this and think it looks good, +2 on merging...

Andreas Zeidler

merging after discussing the fix with @mcdonc...

Andreas Zeidler witsch merged commit 9bde7c5 into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Aug 10, 2013
  1. Wichert Akkerman
This page is out of date. Refresh to see the latest.
Showing with 17 additions and 22 deletions.
  1. +7 −7 pyramid/authentication.py
  2. +10 −15 pyramid/tests/test_authentication.py
14 pyramid/authentication.py
View
@@ -865,22 +865,22 @@ def _get_cookies(self, environ, value, max_age=None):
if ':' in cur_domain:
cur_domain = cur_domain.split(':', 1)[0]
- cookies = [
- ('Set-Cookie', '%s="%s"; Path=%s%s%s' % (
- self.cookie_name, value, self.path, max_age, self.static_flags))
- ]
domains = []
if self.parent_domain and cur_domain.count('.') > 1:
domains.append('.' + cur_domain.split('.', 1)[1])
else:
+ domains.append(None)
domains.append(cur_domain)
if self.wild_domain:
domains.append('.' + cur_domain)
+
+ cookies = []
+ base_cookie = '%s="%s"; Path=%s%s%s' % (self.cookie_name, value,
+ self.path, max_age, self.static_flags)
for domain in domains:
- cookies.append(('Set-Cookie', '%s="%s"; Path=%s; Domain=%s%s%s' % (
- self.cookie_name, value, self.path, domain, max_age,
- self.static_flags)))
+ domain = '; Domain=%s' % domain if domain is not None else ''
+ cookies.append(('Set-Cookie', '%s%s' % (base_cookie, domain)))
return cookies
25 pyramid/tests/test_authentication.py
View
@@ -908,11 +908,11 @@ def test_remember_http_only(self):
self.assertTrue(result[0][1].startswith('auth_tkt='))
self.assertEqual(result[1][0], 'Set-Cookie')
- self.assertTrue(result[1][1].endswith('; HttpOnly'))
+ self.assertTrue('; HttpOnly' in result[1][1])
self.assertTrue(result[1][1].startswith('auth_tkt='))
self.assertEqual(result[2][0], 'Set-Cookie')
- self.assertTrue(result[2][1].endswith('; HttpOnly'))
+ self.assertTrue('; HttpOnly' in result[2][1])
self.assertTrue(result[2][1].startswith('auth_tkt='))
def test_remember_secure(self):
@@ -952,24 +952,19 @@ def test_remember_parent_domain(self):
request = self._makeRequest()
request.environ['HTTP_HOST'] = 'www.example.com'
result = helper.remember(request, 'other')
- self.assertEqual(len(result), 2)
+ self.assertEqual(len(result), 1)
self.assertEqual(result[0][0], 'Set-Cookie')
- self.assertTrue(result[0][1].endswith('; Path=/'))
+ self.assertTrue(result[0][1].endswith('; Path=/; Domain=.example.com'))
self.assertTrue(result[0][1].startswith('auth_tkt='))
- self.assertEqual(result[1][0], 'Set-Cookie')
- self.assertTrue(result[1][1].endswith('; Path=/; Domain=.example.com'))
- self.assertTrue(result[1][1].startswith('auth_tkt='))
-
def test_remember_parent_domain_supercedes_wild_domain(self):
helper = self._makeOne('secret', parent_domain=True, wild_domain=True)
request = self._makeRequest()
request.environ['HTTP_HOST'] = 'www.example.com'
result = helper.remember(request, 'other')
- self.assertEqual(len(result), 2)
- self.assertTrue(result[0][1].endswith('; Path=/'))
- self.assertTrue(result[1][1].endswith('; Path=/; Domain=.example.com'))
+ self.assertEqual(len(result), 1)
+ self.assertTrue(result[0][1].endswith('; Domain=.example.com'))
def test_remember_domain_has_port(self):
helper = self._makeOne('secret', wild_domain=False)
@@ -1102,13 +1097,13 @@ def test_forget(self):
name, value = headers[1]
self.assertEqual(name, 'Set-Cookie')
self.assertEqual(value,
- 'auth_tkt=""; Path=/; Domain=localhost; Max-Age=0; '
- 'Expires=Wed, 31-Dec-97 23:59:59 GMT')
+ 'auth_tkt=""; Path=/; Max-Age=0; '
+ 'Expires=Wed, 31-Dec-97 23:59:59 GMT; Domain=localhost')
name, value = headers[2]
self.assertEqual(name, 'Set-Cookie')
self.assertEqual(value,
- 'auth_tkt=""; Path=/; Domain=.localhost; Max-Age=0; '
- 'Expires=Wed, 31-Dec-97 23:59:59 GMT')
+ 'auth_tkt=""; Path=/; Max-Age=0; '
+ 'Expires=Wed, 31-Dec-97 23:59:59 GMT; Domain=.localhost')
class TestAuthTicket(unittest.TestCase):
def _makeOne(self, *arg, **kw):
Something went wrong with that request. Please try again.