Am Sonntag, 3. November 2019, 00:18:34 CET schrieb Michael Ströder:
On 11/2/19 7:23 PM, Christian Boltz wrote:
Note that both login.o.o and login2.o.o use the
same cookie name
("openSUSE_session"), but since they are independent servers, don't
know about each other's login sessions. Therefore it's not
surprising that only the last login can win :-(
The obvious solution is to change the cookie name on one of the
servers. Since I only have access to login2.o.o, I took the easy
way and changed it there instead of annoying someone with access to
Isn't the obvious solution to let the application set the cookie's
A properly written application should do that.
I'm afraid it isn't that easy ;-)
login.o.o and login2.o.o act as login proxies  for several *.o.o
domains, and the browser sees domains like en.o.o and build.o.o (but not
login.o.o or login2.o.o).
From a browser's viewpoint, the session cookie gets sent by e. g. en.o.o
or build.o.o. This also means restricting the cookie to a specific
subdomain  would break single sign-on .
This leaves using different cookie names as the way to go ;-)
 To be exact, as a reverse proxy, somewhat similar to haproxy or
apache mod_proxy - but with some additions like
- the /ICSLogin/ part serving and handling the login page
- sending out and handling the session cookie
- adding headers with the username etc. when forwarding the request
to the actual servers (so that for example the wiki server knows
who is logged in, but never has to see or check any password)
 I guess your idea was to restrict the session cookie to login2.o.o?
My explanation should make clear why that won't work - actually it
would completely break the login because the browser would never
send a cookie restricted to login2.o.o to en.o.o.
 Actually we have a triple sign-on ;-) using login.o.o for OBS,
login2.o.o in the heroes network for the wikis etc., and another
login server in Provo for bugzilla and the forums.
This means that in worst case you have to login 3 times if you want
to use all these services.
<coolo> or even worse, you coffee
<ancor> Ilmehtar: coolo is right. I always use jquery
<ancor> but I'm not still used to coffee
<vad> tea, then?
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org