Forum OpenACS Q&A: Response to host / site-node map

Collapse
Posted by Alex Sokoloff on
There's another issue with host-node mapping that may have been kicked around a little already: if you login to the site from one hostname, and then switch to a subsite using a different, "mapped" hostname, you loose your login... because the cookie has a different name. I remember looking into this briefly about a year ago, but only vaguely. I think the original specification for cookies says the server can set the hostname of the cookie it's accessing, but in practice it's a big security hole. I think depending on the browser security settings, you can't read/write cookies for a different host. Again, I'm dredging this up from memory.