[Catalyst] Setting cookie_domain

Wade.Stuart at fallon.com Wade.Stuart at fallon.com
Mon Apr 16 18:36:03 GMT 2007 




Bernhard Graf <catalyst2 at augensalat.de> wrote on 04/16/2007 11:55:21 AM:

> On Sunday 15 April 2007 21:32, Fernan Aguero wrote:
>
> > | Thank you, but this doesn't help. Because I have only one
> > | application that can be accessed under different domains (same
> > | 2nd-level domain with TLDs .de, .at and .ch im my case).
> >
> > Oh, I see. -- BTW I'm in geneva now :)
>
> Not so far from me - I'm in the lovely Ticino.
>
> > Yes I have some problems with sessions not working when I
> > switch to using the builtin server (instead of apache under
> > a registered domain) under localhost (for testing changes).
> >
> > | A sane default for cookie_domain would be something as
> > | $cd = (/(\.[^\.]+\.[^\.]+)$/)[0] || $_ for $c->req->uri->host
> > | giving you
> > | ".example.com" for "www.example.com" and "www.sub.example.com",
> > | "example.com" for "example.com" and of course
> > | "mylocaltestdomain" for "mylocaltestdomain".
> > |
> > | But this is untested yet.
> >
> > I'd be interested to know how you do that, if your tests are
> > successful.
>
> I added a finalize_cookies() to my main application ("MyApp.pm").
> Catalyst::Manual::Internals says, that the request handlers might be
> extended in plugins, so maybe doing so in the main application is bad,
> but the following works:
>
> sub finalize_cookies {
>     my $c = shift;
>
>     $c->NEXT::finalize_cookies(@_);
>
>     my $sc =
$c->response->cookies->{$c->config->{session}->{cookie_name}};
>     if (defined($sc) and ref($sc) eq 'HASH') {
>         $sc->{domain} = (/(\.[^\.]+\.[^\.]+)$/)[0] || $_ for
> $c->request->uri->host;
>     }
>     $c->NEXT::finalize_cookies(@_);
> }
>
> But of course I'd prefer if Catalyst::Plugin::Session::State::Cookie did
> it right.

IMHO it does do it "right" out of the box.  The situation you are
describing
is an edge case and I would be uncomfortable with it tossing any apex
domain willy nilly as the lock domain in default behavior. Cookies should
be
locked down to the host unless you have a reason to do it otherwise. In
many
cases the apex behavior listed above can and will cause session id bleed to
unsecured sites.

-Wade

More information about the Catalyst mailing list