It's me again. Unless there's something I'm not understanding it looks
like something's broken with the auth_tkt implementation.
What seems to work for properly setting/resetting the auth_tkt cookie
is at signin the response header should have:
Set-Cookie: auth_tkt=<value>; Path=/;
At signout:
Set-Cookie: auth_tkt=; Path=/;
This should work for the particular subdomain. For all hosts in the
domain it should be as follows:
Set-Cookie: auth_tkt=<value>; Path=/;domain=.xxx.com;
and
Set-Cookie: auth_tkt=; Path=/; domain=.xxx.com
So I don't understand the following code for logout which breaks
subsequent authentication (at least in some configurations, plus
there's no way to include domain when setting the cookie):
cur_domain = environ.get('HTTP_HOST',
environ.get('SERVER_NAME'))
wild_domain = '.' + cur_domain
path = '/'
# XXX Do we want to be setting a domain, what if the port is
wrong for example?
cookies = [
(
'Set-Cookie',
'%s=""; Path=%s' % (
self.cookie_name,
path
)
),
(
'Set-Cookie',
'%s=""; Path=%s; Domain=%s' % (
self.cookie_name,
path,
cur_domain
)
),
(
'Set-Cookie',
'%s=""; Path=%s; Domain=%s' % (
self.cookie_name,
path,
wild_domain,
)
),
]
return cookies
On Dec 27, 5:58 pm, "ben adam" <[EMAIL PROTECTED]> wrote:
Just further info, in case somebody has a clue on what's going on..
When it works (on my machine), on signout this happens:
HTTP/1.x 200 OK
Server: PasteWSGIServer/0.5 Python/2.4.2
Date: Thu, 28 Dec 2006 01:41:22 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: auth_tkt=""; Path=/
Set-Cookie: auth_tkt=""; Path=/; Domain=xxx.xxx.edu:5000
Set-Cookie: auth_tkt=""; Path=/; Domain=.xxx.xxx.edu:5000
Connection: close
and the browser stores auth_tkt cookie for the host (xxx.xxx.edu).
When the same app doesn't work on the webhosting co, this is what
happens on signout:
HTTP/1.x 200 OK
Date: Thu, 28 Dec 2006 01:38:41 GMT
Server: PasteWSGIServer/0.5 Python/2.4.4
Content-Type: text/html; charset=UTF-8
Set-Cookie: auth_tkt=""; Path=/
Set-Cookie: auth_tkt=""; Path=/; Domain=www.xxx.com
Set-Cookie: auth_tkt=""; Path=/; Domain=.www.xxx.com
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 1700
the browser stores 2 auth_tkt cookies, first for the domainwww.xxx.com, second
cookie for the domain .www.xxx.com.
any pointers?
thanks.ben adam
On Dec 27, 12:27 pm, "ben adam" <[EMAIL PROTECTED]> wrote:
> You're right it happens at logout. If browser cookies are cleared the
> first time I login, only one auth_tkt cookie is set, but as soon as I
> logout 2 cookies are set (auth_tkt=""; auth_tkt=""), so subsequent
> logins don't work. It might be mod_auth_tkt at play but have no idea
> how to resolve this (maybe I should look at alternate way of doing this
> other than auth_tkt..). Thanks.
> On Dec 27, 9:58 am, Ian Bicking <[EMAIL PROTECTED]> wrote:
> > Ian Bicking wrote:
> > >> I'm having problems using authkit on web hosting company that uses
> > >> Apache (I also mentioned this in a post not too long ago). Here's
> > >> what's happening: when I run the app using paste http server by itself
> > >> everything works fine (i.e. the auth_tkt cookie is set & also the
> > >> REMOTE_USER var). However when running paste http server behind hosting
> > >> company's Apache server, after login there are 2 cookies with name
> > >> "auth_tkt": one properly set & the other an empty string, and
> > >> REMOTE_USER doesn't get set as a result.
> > >> So, what do I do with authkit (or paste auth) so that there's only one
> > >> "auth_tkt"?
> > > This might be a logout problem. If you set cookies with different paths
> > > or domains, deleting one cookie may leave another. It's a real pain in
> > > the butt. So you might have a cookie set for "foo.com" and another for
> > > "*.foo.com", for instance. Then when you log in after a logout, if you
> > > don't set both those cookies then one of the cookies might cover up the
> > > other.Another note: mod_auth_tkt will set some cookies, catching the
auth_tkt
> > query string parameter on redirects. To figure out exactly what is
> > happening you should use the LiveHTTPHeaders Firefox extension and
> > carefully track where each cookie gets set over the session.
> > --
> > Ian Bicking | [EMAIL PROTECTED] |http://blog.ianbicking.org
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
