I totally agree. On Thu, Jun 4, 2009 at 1:00 PM, Jeremy Haile <[email protected]> wrote:
> Yeah - I think we could come up with some configuration param for that. > e.g. "useDomainCookie" > However - I think the default shouldn't do that. There are plenty of times > where the security on one subdomain should not transfer to another > subdomain. > > On Jun 4, 2009, at 12:53 PM, Les Hazlewood wrote: > > I'm wondering if we could provide some mechanism that allows the user to > specify they want Ki to automatically provide the .domain value, allowing > for dynamic deployment and lessens the possibility of erroneous > configuration or mistyping... > > On Thu, Jun 4, 2009 at 12:30 PM, Jesse O'Neill-Oine <[email protected]>wrote: > >> I don't have much experience in this area, but I tend to think it should >> be set in such a way that anything "sub" where you are should be included. >> That way, if you were on myapp.com then the cookie would be ".myapp.com" >> but if you were on subdomain.myapp.com the cookie would be ". >> subdomain.myapp.com" so it's only opening up further subdomains, not >> superdomains (no idea if that's a valid term). >> I would also be fine with a configuration option. >> >> Jesse >> >> >> On Thu, Jun 4, 2009 at 11:14 AM, Jeremy Haile <[email protected]> wrote: >> >>> I don't think we should set it at the domain level by default. >>> Les, are you thinking we should be setting the cookie ". >>> subdomain.myapp.com" or ".myapp.com" by default? >>> >>> I'd be ok going with ".subdomain.myapp.com" OR just changing it so the >>> user can configure what domain to set the cookie for. >>> >>> >>> On Jun 4, 2009, at 12:10 PM, Les Hazlewood wrote: >>> >>> Hi Jesse, >>> >>> This problem is related to cross-domain cookies, which Ki mistakenly does >>> not set by default. If you open a Jira issue, I can have this fix committed >>> sometime today. >>> >>> Reference: >>> http://blog.cylenceweb.com/2008/11/30/cross-subdomain-cookies-on-different-servers/ >>> >>> On Thu, Jun 4, 2009 at 11:47 AM, Jesse O'Neill-Oine >>> <[email protected]>wrote: >>> >>>> I have a web application that is using JSecurity and also uses wildcard >>>> DNS to allow for subdomains (and also sub-subdomains). I'm having a problem >>>> getting people logged in properly. >>>> The problem goes like this: 1. User goes to http://subdomain.myapp.com/and >>>> fills in a login form with their credentials. >>>> 2. Upon form submission we log them in and then redirect them to >>>> http://user.subdomain.myapp.com/ >>>> 3. They end up at their site, but they are no longer logged in because >>>> they logged into the subdomain, not the sub-subdomain. >>>> >>>> If the user uses the login form on http://user.subdomain.myapp.com/then >>>> everything works fine. >>>> >>>> Is there a way to tell JSecurity that a login is valid for the entire >>>> domain (i.e. myapp.com) or the entire subdomain (i.e. >>>> subdomain.myapp.com) rather than just the actual domain they are on >>>> when they submit the form? >>>> >>>> Thanks, >>>> Jesse >>>> >>>> PS - http://jsecurity.org seems to be down. >>>> http://incubator.apache.org/ki/ is fine though. >>>> >>>> -- >>>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>>> Jesse O'Neill-Oine // [email protected] >>>> Refactr LLC // http://refactr.com >>>> mobile // 612-670-5037 >>>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>>> >>> >>> >>> >> >> >> -- >> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >> Jesse O'Neill-Oine // [email protected] >> Refactr LLC // http://refactr.com >> mobile // 612-670-5037 >> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >> > > >
