New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cur_domain is effectively equivalent to '.' + cur_domain and therefor… #3587
Conversation
Argh... those build failures are not yours. Looks like pytest made some changes again. Please stand by, I'll get those fixed and have you rebase afterwards. |
@ericatkin would you please rebase this on top of the new master. Thank you! |
…e negates the effect of wild_domain
So, I assumed that adding both |
I don't mean to wax nostalgic too much but wild_domain was my first PR I ever did for an open source project that I can recall. I caught @mcdonc whining about users who complain without contributing and felt I had to do something so that I could keep complaining. :-) It's been a journey, glad to see it didn't actually fix the problem. I wonder if some browsers treat it different or if I just didn't test it enough back then. |
I certainly misunderstood the issue at first. The standard seems backward
to me, you specify a name to trigger wild card behavior, and an unspecified
domain means the more restrictive behavior (so called "host-only" cookie).
…On Thu, May 28, 2020, 7:33 PM Michael Merickel ***@***.***> wrote:
I don't mean to wax nostalgic too much but wild_domain was my first PR I
ever did for an open source project that I can recall. :-) It's been a
journey, glad to see it didn't actually fix the problem. I wonder if some
browsers treat it different or if I just didn't test it enough back then.
#98 <#98>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3587 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAVJ6ECKD5RCIUCWGZPGIRTRT4GFBANCNFSM4NNNAG2A>
.
|
src/pyramid/authentication.py
Outdated
if self.wild_domain: | ||
domains.append(cur_domain) | ||
domains.append('.' + cur_domain) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should drop this line of the code, it is unnecessary and we should probably change the logic to either append cur_domain
or append None
, not do both. There is no reason to send two cookies in this case.
Thanks for working with us @ericatkin. Re-reading the spec and what is expected, we should either set the |
Here's the spec for those following along: https://tools.ietf.org/html/rfc6265#section-4.1.2.3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me, thank you!
Ok so I think we should backport this to 1.10. I can look at doing that this weekend if someone doesn't get to it first. |
Is this why Pyramid is creating a 2nd, undesired auth_tkt cookie for a domain I did not request? I mean, if I have "my-domain.com", Pyramid is creating an extra auth_tkt cookie for ".my-domain.com" (with a dot at the start). Can I just wait for this fix to be released and trust it will go away? I am on 1.10.4, the latest. By the way, my code is this...
|
@nandoflorestan I'm not sure I see in the code how you'd be seeing https://github.com/Pylons/pyramid/blob/1.10.4/src/pyramid/authentication.py#L909-L932 |
I edited /etc/hosts to add this line:
...because the issue only happens when the domain name contains a dot. Testing on http://local.host:6543/ I saw the extra auth_tkt cookie appear when I logged in. In order to debug this, it is necessary to restart waitress. I saw that the value of the variable "domains" is [None, 'local.host'], as you would expect. But at the end, when profile.get_headers(value, **kw) was called with
The above contains 2 cookies. The one without a domain is undesired. profile is a webob.cookies.CookieProfile object. pip says my webob is up-to-date at 1.8.6. The issue would be fixed by the removal of the line In fact, I don't know why that line would be there at all. I am sorry if I am talking about something different from this issue's subject. If you want me to open a separate ticket, please say so. |
@nandoflorestan that's the expected behavior. You made it sound originally like it was returning a cookie for |
I am sorry for the noise. I have opened #3609 |
I've decided to not backport this because while it is a bug, it's also a bw-incompat change that apps may be inadvertently relying on. I don't want to change something that's been operating in that way for so many years in a bugfix release. |
…e negates the effect of wild_domain
See PR #3586