On Sun, Nov 03, 2019 at 02:00:37AM +0100, Christian Boltz wrote:
Hello,
Am Sonntag, 3. November 2019, 00:18:34 CET schrieb Michael Ströder:
On 11/2/19 7:23 PM, Christian Boltz wrote:
Note that both login.o.o and login2.o.o use the same cookie name ("openSUSE_session"), but since they are independent servers, don't know about each other's login sessions. Therefore it's not surprising that only the last login can win :-(
The obvious solution is to change the cookie name on one of the servers. Since I only have access to login2.o.o, I took the easy way and changed it there instead of annoying someone with access to login.o.o.
Isn't the obvious solution to let the application set the cookie's 'Domain' attribute?
A properly written application should do that.
I'm afraid it isn't that easy ;-)
login.o.o and login2.o.o act as login proxies [1] for several *.o.o domains, and the browser sees domains like en.o.o and build.o.o (but not login.o.o or login2.o.o).
From a browser's viewpoint, the session cookie gets sent by e. g. en.o.o or build.o.o. This also means restricting the cookie to a specific subdomain [2] would break single sign-on [3].
This leaves using different cookie names as the way to go ;-)
Regards,
Christian Boltz
[1] To be exact, as a reverse proxy, somewhat similar to haproxy or apache mod_proxy - but with some additions like - the /ICSLogin/ part serving and handling the login page - sending out and handling the session cookie - adding headers with the username etc. when forwarding the request to the actual servers (so that for example the wiki server knows who is logged in, but never has to see or check any password)
If you can pass on the login name you can pass on the domain as well, so it knows for which domain you want to set the cookie, right? The obvious downside is that if the server serves multiple domains you would have to contact it several times separately to set cookies for different domains. It's not like it does not happen in practice, anyway. I need to log in to bugzilla.o.o and bugzilla.suse.com separately, and also separately to the wiki and to the build service. Which also means if one of the bugzilla cookies gets broken I can use the other domains to get to bugzilla.. Thanks Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org