Hi Jesse, The commit went in on SVN rev. 781880. Here's the resolved issue:
https://issues.apache.org/jira/browse/KI-80 Cheers, Les On Thu, Jun 4, 2009 at 2:12 PM, Les Hazlewood <[email protected]> wrote: > I totally agree. > > > On Thu, Jun 4, 2009 at 1:00 PM, Jeremy Haile <[email protected]> wrote: > >> Yeah - I think we could come up with some configuration param for that. >> e.g. "useDomainCookie" >> However - I think the default shouldn't do that. There are plenty of >> times where the security on one subdomain should not transfer to another >> subdomain. >> >> On Jun 4, 2009, at 12:53 PM, Les Hazlewood wrote: >> >> I'm wondering if we could provide some mechanism that allows the user to >> specify they want Ki to automatically provide the .domain value, allowing >> for dynamic deployment and lessens the possibility of erroneous >> configuration or mistyping... >> >> On Thu, Jun 4, 2009 at 12:30 PM, Jesse O'Neill-Oine <[email protected]>wrote: >> >>> I don't have much experience in this area, but I tend to think it should >>> be set in such a way that anything "sub" where you are should be included. >>> That way, if you were on myapp.com then the cookie would be ".myapp.com" >>> but if you were on subdomain.myapp.com the cookie would be ". >>> subdomain.myapp.com" so it's only opening up further subdomains, not >>> superdomains (no idea if that's a valid term). >>> I would also be fine with a configuration option. >>> >>> Jesse >>> >>> >>> On Thu, Jun 4, 2009 at 11:14 AM, Jeremy Haile <[email protected]>wrote: >>> >>>> I don't think we should set it at the domain level by default. >>>> Les, are you thinking we should be setting the cookie ". >>>> subdomain.myapp.com" or ".myapp.com" by default? >>>> >>>> I'd be ok going with ".subdomain.myapp.com" OR just changing it so the >>>> user can configure what domain to set the cookie for. >>>> >>>> >>>> On Jun 4, 2009, at 12:10 PM, Les Hazlewood wrote: >>>> >>>> Hi Jesse, >>>> >>>> This problem is related to cross-domain cookies, which Ki mistakenly >>>> does not set by default. If you open a Jira issue, I can have this fix >>>> committed sometime today. >>>> >>>> Reference: >>>> http://blog.cylenceweb.com/2008/11/30/cross-subdomain-cookies-on-different-servers/ >>>> >>>> On Thu, Jun 4, 2009 at 11:47 AM, Jesse O'Neill-Oine >>>> <[email protected]>wrote: >>>> >>>>> I have a web application that is using JSecurity and also uses wildcard >>>>> DNS to allow for subdomains (and also sub-subdomains). I'm having a >>>>> problem >>>>> getting people logged in properly. >>>>> The problem goes like this: 1. User goes to >>>>> http://subdomain.myapp.com/ and fills in a login form with their >>>>> credentials. >>>>> 2. Upon form submission we log them in and then redirect them to >>>>> http://user.subdomain.myapp.com/ >>>>> 3. They end up at their site, but they are no longer logged in because >>>>> they logged into the subdomain, not the sub-subdomain. >>>>> >>>>> If the user uses the login form on http://user.subdomain.myapp.com/then >>>>> everything works fine. >>>>> >>>>> Is there a way to tell JSecurity that a login is valid for the entire >>>>> domain (i.e. myapp.com) or the entire subdomain (i.e. >>>>> subdomain.myapp.com) rather than just the actual domain they are on >>>>> when they submit the form? >>>>> >>>>> Thanks, >>>>> Jesse >>>>> >>>>> PS - http://jsecurity.org seems to be down. >>>>> http://incubator.apache.org/ki/ is fine though. >>>>> >>>>> -- >>>>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>>>> Jesse O'Neill-Oine // [email protected] >>>>> Refactr LLC // http://refactr.com >>>>> mobile // 612-670-5037 >>>>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>>>> >>>> >>>> >>>> >>> >>> >>> -- >>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>> Jesse O'Neill-Oine // [email protected] >>> Refactr LLC // http://refactr.com >>> mobile // 612-670-5037 >>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>> >> >> >> >
