[Catalyst] Setting cookie_domain
Bernhard Graf
catalyst2 at augensalat.de
Mon Apr 16 23:08:55 GMT 2007
On Monday 16 April 2007 19:36, Wade.Stuart at fallon.com wrote:
> IMHO it does do it "right" out of the box. The situation you are
> describing
> is an edge case and I would be uncomfortable with it tossing any apex
> domain willy nilly as the lock domain in default behavior. Cookies
> should be
> locked down to the host unless you have a reason to do it otherwise.
> In many
> cases the apex behavior listed above can and will cause session id
> bleed to unsecured sites.
I wonder what you mean with "edge case".
IE, that doesn't accept cookies as generated by
Catalyst::Plugin::Session::State::Cookie in default setup?
Or having multiple domains for a site for which C:P:S:S:C doesn't have
any usable option at all?
IE-conformity and multiple domains is no edge case - these are two
requirements that apply for most real world sites I would say.
I have my workaround now, but this solution kept me from doing
productive things and makes my code ugly and cryptic - things that
Catalyst actually strives to eliminate.
--
Bernhard Graf
More information about the Catalyst
mailing list