[Catalyst] warning

Jason Kohles email at jasonkohles.com
Wed Jan 23 21:09:06 GMT 2008 

On Jan 23, 2008, at 5:45 AM, Octavian Rasnita wrote:

> Hi,
>
> I've seen that if I skip setting the cookie_domain for the session  
> in MyApp.pm, the authentication works for all the domain names, but  
> only if I use Internet Explorer.
>
> Firefox doesn't like the cookies without a domain set so the  
> authentication doesn't work at all with this browser.
>
This is simply not true, firefox deals with cookies without a domain  
just fine.

 From RFC2109 (HTTP State Management Mechanism)

    Domain=domain
       Optional.  The Domain attribute specifies the domain for which  
the
       cookie is valid.  An explicitly specified domain must always  
start
       with a dot.

Note the 'Optional', the spec does not require the cookie to specify a  
domain.

4.3  User Agent Role

4.3.1  Interpreting Set-Cookie

    The user agent keeps separate track of state information that  
arrives
    via Set-Cookie response headers from each origin server (as
    distinguished by name or IP address and port).  The user agent
    applies these defaults for optional attributes that are missing:
...
    Domain Defaults to the request-host.  (Note that there is no dot at
           the beginning of request-host.)


 From the terminology section:

    The terms request-host and request-URI refer to the values the  
client
    would send to the server as, respectively, the host (but not port)
    and abs_path portions of the absoluteURI (http_URL) of the HTTP
    request line.  Note that request-host must be a FQHN.


So the behavior you are requesting is already what the RFC requires  
the browser to do with a cookie that does not have a domain specified,  
and this RFC is over 10 years old.


> So the best solution is to use in Root.pm:
> $c->config->{session}->{cookie_domain} = $c->req->hostname;
>
> It could be helpful if this could be done automaticly if there is no  
> cookie_domain set for the session, instead of not sending any domain.
>
> Octavian
>
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>

-- 
Jason Kohles, RHCA RHCDS RHCE
email at jasonkohles.com - http://www.jasonkohles.com/
"A witty saying proves nothing."  -- Voltaire

More information about the Catalyst mailing list