On Monday 16 April 2007 19:36, [EMAIL PROTECTED] wrote: > IMHO it does do it "right" out of the box. The situation you are > describing > is an edge case and I would be uncomfortable with it tossing any apex > domain willy nilly as the lock domain in default behavior. Cookies > should be > locked down to the host unless you have a reason to do it otherwise. > In many > cases the apex behavior listed above can and will cause session id > bleed to unsecured sites.
I wonder what you mean with "edge case". IE, that doesn't accept cookies as generated by Catalyst::Plugin::Session::State::Cookie in default setup? Or having multiple domains for a site for which C:P:S:S:C doesn't have any usable option at all? IE-conformity and multiple domains is no edge case - these are two requirements that apply for most real world sites I would say. I have my workaround now, but this solution kept me from doing productive things and makes my code ugly and cryptic - things that Catalyst actually strives to eliminate. -- Bernhard Graf _______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
