6 Sep
2010
6 Sep
'10
2:39 p.m.
Hi Sergiu!
Sergiu Dumitriu wrote:
It is impossible to send a cookie for a domain that's not a substring of
the current URL, since it would be a big security issue. Further, it is
impossible to set cookies for a TLD (.com).
One trick that might work, although I didn't try, is to use cross domain
AJAX requests which add cookies, but this is not a bulletproof solution:
- works only with JS
- works only in browsers that understand cross-domain requests
See https://developer.mozilla.org/en/HTTP_access_control and
http://www.w3.org/TR/cors/
But maybe you should try something else, like WebID
http://webid.myxwiki.org/
As usual, you have sent a lot of food for thought in your message. Thanks!
It will take me some time to digest all that. Probably mainly because
the first step, to define the problem to be solved, is not so well done
as desirable. Please, allow me to draft the user I'm facing here and
send a couple of questions.
The community behind the wiki farm were are designing belongs to a
number of different institutions. Each of these institutions has its own
information system, but for one or other reason it doesn't fulfill the
requirements of the aforementioned users. Also, all of them, have a
feeling of needing some kind of "different" environment that eases their
lives concerning sharing information, knowledge and editing
collaboratively different kinds of documents. There are frequent
cross-interests between groups. I mean, people for a given group been
advisable to have some kind of access rights on documents belonging to
other group.
They all feel confortable accessing a new portal with a customized look
and feel. But it always easy to convince to create a new TLD (on .net
or .org for instance) domain that having to explain why they must share
the same root. In some cases this is simply not possible for
"institutional image" reasons. That is why I would like to share cookies
across domains more than having each of this groups using a virtual wiki
sharing a common "base domain".
If as you said sharing cookies between domains is a major security risk
it seems to me that a system as WebID is of great interest to deal with
situation as the one described here.
Please, could you tell me if I've well understood two key points:
1. The master or main wiki in our farm could be set up ti issue WebID
certificates on demand. This certificates could be issues to users with
the correct credentials stored in a directory server LDAP enable and
always using SSL communication.
2. Each virtual wiki in our farm could be set up to accept WebID
certificates. It will be up to each user to obtain a WebID certificate
from the main wiki or keep using the plain old username/password system.
Even though I can easily agree about the fact most of the security
issues in our systems are due to a bad or lacking at all passwords'
policy, I am sure many users feel comfortable with this "apparently
sure" system.
Any thought will be welcome!
Please, allow me just a final remark here addressed to all XWiki
community. I've recently managed to regain access to way almost lost of
using and trying to contribute to XWiki development. I am really
impressed with the work done in the last 12 months. Of course it is not
hard to impress me! But I am sure more skilled people are also impressed
with the current XWiki state of development! Thanks for all the hard work!
Greetings,
Ricardo
--
Ricardo RodrÃguez
CTO
eBioTIC.
Life Sciences, Data Modeling and Information Management Systems