[Catalyst] Setting cookie_domain

Bernhard Graf catalyst2 at augensalat.de
Mon Apr 16 23:08:55 GMT 2007

On Monday 16 April 2007 19:36, Wade.Stuart at fallon.com wrote:

> IMHO it does do it "right" out of the box.  The situation you are
> describing
> is an edge case and I would be uncomfortable with it tossing any apex
> domain willy nilly as the lock domain in default behavior. Cookies
> should be
> locked down to the host unless you have a reason to do it otherwise.
> In many
> cases the apex behavior listed above can and will cause session id
> bleed to unsecured sites.

I wonder what you mean with "edge case".

IE, that doesn't accept cookies as generated by 
Catalyst::Plugin::Session::State::Cookie in default setup?

Or having multiple domains for a site for which C:P:S:S:C doesn't have 
any usable option at all?

IE-conformity and multiple domains is no edge case - these are two 
requirements that apply for most real world sites I would say.

I have my workaround now, but this solution kept me from doing 
productive things and makes my code ugly and cryptic - things that 
Catalyst actually strives to eliminate.
Bernhard Graf

More information about the Catalyst mailing list