Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cookie domain support to Session and Auth snaplets #150

Merged
merged 2 commits into from
Jun 15, 2015
Merged

Add cookie domain support to Session and Auth snaplets #150

merged 2 commits into from
Jun 15, 2015

Conversation

sopvop
Copy link
Contributor

@sopvop sopvop commented May 29, 2015

Should be useful for correct cookie handling in custom session/auth implementations.

It sets same cookie parameters as setSecureCookie.

forgetSecureCookie didn't set httpOnly parameter on cookie, which could make some new browsers ignore it.

@sopvop
Add exported helper function expireSecureCookie
fee1fe8 
It sets same cookie parameters as setSecureCookie.

forgetSecureCookie didn't set httpOnly parameter on cookie, which could
make some new browsers ignore it.
@sopvop
Copy link
Contributor Author

sopvop commented May 29, 2015

Hm, I'm not sure info in snapframework/snap-core#212 was correct. I need to double check this.
Don't merge this yet.

@sopvop
Copy link
Contributor Author

sopvop commented May 29, 2015

Ok, it works all right. Problem was elsewhere.
HttpOnly does not seem to affect firefox at all. But there were reports that it is important to some browsers.

@gregorycollins
Copy link
Member

So do we need this function? I'm happy to merge if it's needed.

@sopvop
Copy link
Contributor Author

sopvop commented Jun 2, 2015

It may be useful for symmetry with other functions in module.
But I have not confirmed that httponly flag is needed to expire cookies set with httponly.

@sopvop
Copy link
Contributor Author

sopvop commented Jun 3, 2015

So, after doing some research, I've once again studied the rfc6265 which clearly states that HttpOnly and Secure flags don't affect stored cookie replacement.

11.  If the cookie store contains a cookie with the same name,
    domain, and path as the newly created cookie:

    1.  Let old-cookie be the existing cookie with the same name,
        domain, and path as the newly created cookie.  (Notice that
        this algorithm maintains the invariant that there is at most
        one such cookie.)

    2.  If the newly created cookie was received from a "non-HTTP"
        API and the old-cookie's http-only-flag is set, abort these
        steps and ignore the newly created cookie entirely.

    3.  Update the creation-time of the newly created cookie to
        match the creation-time of the old-cookie.

    4.  Remove the old-cookie from the cookie store.

However @reiddraper reported in snapframework/snap-core#212 that it does matter to some browsers. Maybe he can provide examples of browsers which this affects.

So, in my opinion this function should be added for symmetry with other exported functions, better code readability and future-proofing the implementation.

@sopvop
Copy link
Contributor Author

sopvop commented Jun 4, 2015

Maybe actually rework these functions a bit.
Also allow session snaplet to set domain, as asked in #104

@sopvop
Add domains for cookies in auth/session snaplets
0ac4ce7 
You can set domain name for cookies in auth and cookie session
snaplets. This is useful when you want to make stored cookies available
to sub-domains.

For example: If you set cookie domain to `.example.com`, browser will
send it with requests to sub-domains like
`api.example.com`,`wiki.example.com` or `sub.subdomain.example.com`.

This is a breaking change for public Api.

Some snaplets which initialize AuthManager record with named fields like
AuthManager { remberCookie = .. } will receive compilation warning only!
This includes, for example, a popular snaplet-postgresql-simple Auth
Backend.
@sopvop sopvop changed the title Add exported helper function expireSecureCookie Add cookie domain support to Session and Auth snaplets Jun 8, 2015
@mightybyte
Copy link
Member

Seems reasonable to me. @ozataman?

@ozataman
Copy link
Member

Seems reasonable to me as well. I agree with symmetricity comments - if we have it on secure cookies now, we may as well expose here also.

I am a bit annoyed, though, that the domain cant be dynamically determined in some Handler context. So you'd have to hardwire your production domain text into the codebase, which smells bad. I haven't thought about it enough, but that may be too large a redesign on the auth snaplet for the scope of change here.

On Jun 10, 2015, at 9:02 AM, Doug Beardsley [email protected] wrote:

Seems reasonable to me. @ozataman?


Reply to this email directly or view it on GitHub.

sopvop added a commit that referenced this pull request Jun 15, 2015
@sopvop
Merge pull request #150 from sopvop/expireSecureCookie
ee7a17a 
Add cookie domain support to Session and Auth snaplets
@sopvop sopvop merged commit ee7a17a into snapframework:master Jun 15, 2015
@reiddraper
Copy link

However @reiddraper reported in snapframework/snap-core#212 that it does matter to some browsers. Maybe he can provide examples of browsers which this affects.

I was using Chrome, somewhere near 43.0.2357.81 (it's probably been updated several times since reporting the issue). Definitely worth double-checking my findings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sopvop @gregorycollins @mightybyte @ozataman @reiddraper