New submission from ken <flex...@gmail.com>:

When you do:
1) login in "https"
2) all other in "http"
3) use Opera client
4) use non-standard port 
5) use AuthTkt cookie plugin
then port left in the domain in the cookie prevent Opera client to send cookie
to other port (i.e. http).

Solution: just remove port from cookie domain.

repoze.who.plugins.auth_tkt.py:

    def _get_cookies(self, environ, value):
        cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME'))
        cur_domain = cur_domain.split(":")[0] # this removes port if any
        wild_domain = '.' + cur_domain
        cookies = [


auth_tkt.py
76d75
<         cur_domain = cur_domain.split(":")[0]
142,143c141,142
<             #cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME'))
<             #wild_domain = '.' + cur_domain
---
>             cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME'))
>             wild_domain = '.' + cur_domain

----------
messages: 150
nosy: ken
priority: bug
status: unread
title: remove port from cookie path

__________________________________
Repoze Bugs <b...@bugs.repoze.org>
<http://bugs.repoze.org/issue66>
__________________________________
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to