Forum OpenACS Development: Re: Allow Host Node Mapped Host Names for Cookies

Posted by Dave Bauer on
Thanks Gustaf, I am trying to see if I can clarify the requirements, to make sure we are doing the right thing. I appreciate your explanations.

If cookie domains are a problem, perhaps we need to remove or identify the issue with that setting?

Posted by Gustaf Neumann on
Whatever "problem" means: I was pointing out to the fact, that mixing domain cookies and non-domain cookies is not a good idea, since current browsers will sent these cookies twice (once as domain cookies, once as "normal" (site) cookies). Image a user logging first (1) into to and later (2) into, where the foo uses site cookies, and bar sets it cookies as domain cookies of "". When the user visits then as visit (3) again the server will see duplicate "ad_login" "ad_session_id", etc. cookies, causing all kind of confusions.

my message was just: think twice, when using domain cookies.
To your original question: yes, there should be a way to set optionally a cookie domain for host-node-mapped sites for orthogonality, but that should be possible from the web ui.

The second point was: the cookie-name confusion can be avoided, when we set e.g. a "cookie realm", like "development", "external", ... which could be appended to the cookie name (e.g. "ad_login-external", then there can't be any kind of confusion like indicated above.