Hello, Am Sonntag, 3. November 2019, 00:18:34 CET schrieb Michael Ströder:
On 11/2/19 7:23 PM, Christian Boltz wrote:
Note that both login.o.o and login2.o.o use the same cookie name ("openSUSE_session"), but since they are independent servers, don't know about each other's login sessions. Therefore it's not surprising that only the last login can win :-(
The obvious solution is to change the cookie name on one of the servers. Since I only have access to login2.o.o, I took the easy way and changed it there instead of annoying someone with access to login.o.o.
Isn't the obvious solution to let the application set the cookie's 'Domain' attribute?
A properly written application should do that.
I'm afraid it isn't that easy ;-) login.o.o and login2.o.o act as login proxies [1] for several *.o.o domains, and the browser sees domains like en.o.o and build.o.o (but not login.o.o or login2.o.o). From a browser's viewpoint, the session cookie gets sent by e. g. en.o.o or build.o.o. This also means restricting the cookie to a specific subdomain [2] would break single sign-on [3]. This leaves using different cookie names as the way to go ;-) Regards, Christian Boltz [1] To be exact, as a reverse proxy, somewhat similar to haproxy or apache mod_proxy - but with some additions like - the /ICSLogin/ part serving and handling the login page - sending out and handling the session cookie - adding headers with the username etc. when forwarding the request to the actual servers (so that for example the wiki server knows who is logged in, but never has to see or check any password) [2] I guess your idea was to restrict the session cookie to login2.o.o? My explanation should make clear why that won't work - actually it would completely break the login because the browser would never send a cookie restricted to login2.o.o to en.o.o. [3] Actually we have a triple sign-on ;-) using login.o.o for OBS, login2.o.o in the heroes network for the wikis etc., and another login server in Provo for bugzilla and the forums. This means that in worst case you have to login 3 times if you want to use all these services. -- <coolo> Ilmehtar: in rails you don't javascript, you jquery <coolo> or even worse, you coffee <ancor> Ilmehtar: coolo is right. I always use jquery <ancor> but I'm not still used to coffee <vad> tea, then? [from #opensuse-project] -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org