Forum OpenACS Development: Change Cookie Name

Collapse
Posted by Clay Gordon on
As a devout cookie watcher, I'd like to suggest changing the default prefix of the cookies OACS sets from "ad_" to "oacs_". The primary reason is that the "ad_" prefix may lead people into think that an advertising server is trying to set the cookie. The secondary reason is that, though it's important to acknowledge the aD heritage, it's also important to identify OACS uniquely. It seems like a pretty trivial fix, but it's one that I've recommended to Open Force on my project and one that I recommend to the rest of the community.
Collapse
Posted by Don Baccus on
I never thought about it, frankly, but it's not a bad idea at all.
Collapse
Posted by Clay Gordon on
Don, it occurred to me that this might be an AOLserver configuration issue, not an
OACS configuration issue. In which case if AOLserver is included in the OACS
tarball then it could be done in those copies; code/binaries downloaded from
aolserver.com probably couldn't be changed.
Collapse
Posted by Mat Kovach on
I believe all the cookies are handled in the security code.  I can see anywhere where the AOLserver codes sets the cookies for OpenACS or ACS.

I think we'd have to look in all procs for ad_set_cookie/ad_get_cookie etc and modify ad_..... to oacs_...
since ad_set_cookie accepts the name of the cookie (ie: it does not add the ad_ part).

Of course, I could be completely off track on this.

Collapse
Posted by Tilmann Singer on
To whoever implements this: please announce it publicly as soon as the change is done, because this would mean for existing installations that are updated that all the users who have a persistent login cookie would suddenly be logged out and would have to re-login.

A quick grep suggests that besides acs-tcl/tcl/security-procs.tcl where almost all of the cookie stuff is done one would only have to change some stuff in ecommerce which sets the cookies explicitely for some reason and some occurences of the cookie names in the docs.