Feature Proposal: Make the login managers cookie (domain) realm configurable.


I want to share the cookie among different hosts in my company realm (*.company.com).

Description and Documentation

Add a -domain parameter to the cookie creator in the LoginManager.pm and make the value available as an expert option.


    my $cookie = CGI::Cookie->new(
        -name     => $Foswiki::LoginManager::Session::NAME,
        -value    => $this->{_cgisession}->id(),
        -path     => '/',
        -domain => $someExpertOption,          # add this
        -httponly => 1




-- Contributors: OliverKrueger - 14 Jan 2010


I support this.

Could we also take this opportunity to not hard-code the path to '/'? Debugging a cookie problem I had, came across some sources that suggested against this, Eg. http://research.corsaire.com/whitepapers/040323-cookie-path-best-practice.pdf

If my understanding is correct (it very well might not be), it's possible (shared host/access situation?) a foswiki installation at: http://thehost.com/foocustomer/foswiki

Might be vulnerable to an account holder at http://thehost.com/barcustomer/*

... if the same user visits both sites, the browser could expose their foswiki cookies to barcustomer.

In the above example, if the cookie path was equal to the foswiki root path by default ( '/foocustomer/foswiki' ), the user's browser would not expose foswiki cookies to barcustomer

-- PaulHarvey - 14 Jan 2010

I support this as well. Came across this same capability in the Sympa email list software. It is useful in a SSO configuration where a domain-wide cookie might be set for session purposes.

-- GeorgeClark - 14 Jan 2010

We (www.eberspaecher.com) support this as well, just in case you need some more votes ;-).

-- CedricWeber - 14 Jan 2010

Sounds good to me. Accepted by 14 day rule.

-- CrawfordCurrie - 17 Feb 2010
Topic revision: r9 - 22 Mar 2011, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy