Yeah - I think we could come up with some configuration param for
that. e.g. "useDomainCookie"
However - I think the default shouldn't do that. There are plenty of
times where the security on one subdomain should not transfer to
another subdomain.
On Jun 4, 2009, at 12:53 PM, Les Hazlewood wrote:
I'm wondering if we could provide some mechanism that allows the
user to specify they want Ki to automatically provide the .domain
value, allowing for dynamic deployment and lessens the possibility
of erroneous configuration or mistyping...
On Thu, Jun 4, 2009 at 12:30 PM, Jesse O'Neill-Oine
<[email protected]> wrote:
I don't have much experience in this area, but I tend to think it
should be set in such a way that anything "sub" where you are should
be included. That way, if you were on myapp.com then the cookie
would be ".myapp.com" but if you were on subdomain.myapp.com the
cookie would be ".subdomain.myapp.com" so it's only opening up
further subdomains, not superdomains (no idea if that's a valid term).
I would also be fine with a configuration option.
Jesse
On Thu, Jun 4, 2009 at 11:14 AM, Jeremy Haile <[email protected]>
wrote:
I don't think we should set it at the domain level by default.
Les, are you thinking we should be setting the cookie
".subdomain.myapp.com" or ".myapp.com" by default?
I'd be ok going with ".subdomain.myapp.com" OR just changing it so
the user can configure what domain to set the cookie for.
On Jun 4, 2009, at 12:10 PM, Les Hazlewood wrote:
Hi Jesse,
This problem is related to cross-domain cookies, which Ki
mistakenly does not set by default. If you open a Jira issue, I
can have this fix committed sometime today.
Reference:
http://blog.cylenceweb.com/2008/11/30/cross-subdomain-cookies-on-different-servers/
On Thu, Jun 4, 2009 at 11:47 AM, Jesse O'Neill-Oine <[email protected]
> wrote:
I have a web application that is using JSecurity and also uses
wildcard DNS to allow for subdomains (and also sub-subdomains). I'm
having a problem getting people logged in properly.
The problem goes like this:
1. User goes to http://subdomain.myapp.com/ and fills in a login
form with their credentials.
2. Upon form submission we log them in and then redirect them to
http://user.subdomain.myapp.com/
3. They end up at their site, but they are no longer logged in
because they logged into the subdomain, not the sub-subdomain.
If the user uses the login form on http://user.subdomain.myapp.com/
then everything works fine.
Is there a way to tell JSecurity that a login is valid for the
entire domain (i.e. myapp.com) or the entire subdomain (i.e.
subdomain.myapp.com) rather than just the actual domain they are on
when they submit the form?
Thanks,
Jesse
PS - http://jsecurity.org seems to be down. http://incubator.apache.org/ki/
is fine though.
--
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Jesse O'Neill-Oine // [email protected]
Refactr LLC // http://refactr.com
mobile // 612-670-5037
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
--
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Jesse O'Neill-Oine // [email protected]
Refactr LLC // http://refactr.com
mobile // 612-670-5037
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
