cross-domain cookies #14
Comments
ghost
assigned 
|
In my testing my pads are on example.com/pads where my WP deployment is on example.com -- |
|
Yeah, that should work fine. It's when they're on different domains that they're not getting set right - foo.com and bar.com. Subdirectories of the same top-level domain seem to work fine. |
It's not strictly spea,king possible to set a cross-domain cookie because of security concerns, but this filter does make it possible to configure installations where EPL is running on a separate subdomain of your WP domain (eg etherpad.example.com and wordpress.example.com). See #14
|
So, there's no way to get this up and running if your Participad install is on a separate domain than the Etherpad install? This looks like we can hack around it by mapping a subdomain of the WordPress site to the etherpad server? |
Right. The issue, in short, is: We're using EPL sessions to protect access to Pads. EPL sessions are stored in a cookie called sessionID, which is used by EPL to authenticate. We generate the EPL session ID in Participad via the EPL API. But that means that the WP installation now has the value of the session ID, and needs to set a cookie for the EPL installation. If they live on different domains, security restrictions keep WP from doing this. (For good reason: when visiting my website, you wouldn't want me to run Your workaround of mapping a subdomain onto EPL is a great idea, and should work without a hitch. If the EPL API offered the option of setting the session cookie remotely, it would help. In other words: when I embed the EPL iframe in my WP site, I would like to be able to send a request to http://example.com/pad?setSessionCookie=[sessionID] or something like that, and EPL would asynchronously set the appropriate cookie. However, I don't know how secure this would be, given that EPL's API currently just uses a static API key for auth, which would make sessions subject to sniffing and hijacking pretty easily. Maybe @JohnMcLear has some thoughts about this. |
|
Don't have much in the way of thoughts to be honest, I think you'd have to propose it at https://github.com/ether/etherpad-lite/issues as I'm sure other people have stronger opinions on it than me. It's another one @rhelmer might be interested in as he's working on the EP Team pad stuff Btw EPL is now EP, we dropped the Lite bit. :) |
I had to abandon cross-domain cookies during development, because I was having a hard time getting them to work. But in any case, WP needs to be able to set and read the
sessionIDcookie used by Etherpad, in order to verify permissions on pads.The text was updated successfully, but these errors were encountered: