Forum OpenACS Development: Re: Allow Host Node Mapped Host Names for Cookies

Collapse
Posted by Gustaf Neumann on
The same Problem will arise, when foo and bar are served by the same nsd, by different OpenACS instances on the same machine, or different openacs instances on different machines.

What are you trying to achieve?

Collapse
Posted by Dave Bauer on
Thanks Gustaf, I am trying to see if I can clarify the requirements, to make sure we are doing the right thing. I appreciate your explanations.

If cookie domains are a problem, perhaps we need to remove or identify the issue with that setting?

Collapse
Posted by Gustaf Neumann on
Whatever "problem" means: I was pointing out to the fact, that mixing domain cookies and non-domain cookies is not a good idea, since current browsers will sent these cookies twice (once as domain cookies, once as "normal" (site) cookies). Image a user logging first (1) into to foo.company.org and later (2) into bar.company.org, where the foo uses site cookies, and bar sets it cookies as domain cookies of "company.org". When the user visits then as visit (3) again foo.company.org the server will see duplicate "ad_login" "ad_session_id", etc. cookies, causing all kind of confusions.

my message was just: think twice, when using domain cookies.
To your original question: yes, there should be a way to set optionally a cookie domain for host-node-mapped sites for orthogonality, but that should be possible from the web ui.

The second point was: the cookie-name confusion can be avoided, when we set e.g. a "cookie realm", like "development", "external", ... which could be appended to the cookie name (e.g. "ad_login-external", then there can't be any kind of confusion like indicated above.