24 Jun
2010
24 Jun
'10
8:30 p.m.
Hello!
I'm slowly implementing my intentions:
http://mid.gmane.org/loom.20100612T141011-881%40post.gmane.org
The problem I have noticed is that I can't login currently. Login page
is located on http://wiki.x.metrolace.ru/ (wiki.x is ugly, I'll fix it
later) and the headers look like this when I'm logging in:
Set-Cookie: username="GpCybk1DvZRGHYktowzcuA__"; Version=1;
Max-Age=1296000; Expires=Fri, 09-Jul-2010 17:54:46 GMT; Path=/; HttpOnly
I can see no domain here despite I have set
xwiki.authentication.cookiedomains=.metrolace.ru
I have also tried xwiki.authentication.cookiedomains=metrolace.ru, it
didn't work.
As a consequence, the cookie is only valid on wiki.x.metrolace.ru, but
not on e. g. http://photos.metrolace.ru/
I guess this is an effect of security improvement in 2.4M1:
Added support for HttpOnly flag for session cookies (XSS protection measure)
It was mentioned that it required manual headers composing, and domains
might have been forgot when writing from scratch. Is it a bug or maybe
I'm missing something?
--
If you want to get to the top, you have to start at the bottom
27 Jun
27 Jun
9:46 a.m.
Ivan Levashew <I.Levashew@...> writes:
Set-Cookie: username="GpCybk1DvZRGHYktowzcuA__"; Version=1;
Max-Age=1296000; Expires=Fri, 09-Jul-2010 17:54:46 GMT; Path=/; HttpOnly
I can see no domain here despite I have set
xwiki.authentication.cookiedomains=.metrolace.ru
I seem to have found the cause. XWiki doesn't put Domain in cookie
when domain matches exactly. I. e. when request is done for
metrolace.ru, XWiki doesn't put domain in cookie. Squid redirector
naturally was programmed to redirect almost everything to
http://metrolace.ru/...
When I change this to http://www.metrolace.ru/, this www makes XWiki
ner^Wput "Domain=.metrolace.ru" in cookies as it supposed to do.
Do you think this strategy of non-putting Domain= in exact domains makes
sense? Those ones who have just 1 domain are not likely to edit
cookiedomains in xwiki.cfg and those ones like me using reverse
proxies for balancing or URL rewriting just meet yet another unwanted
obstacle.
The piece of code is here:
xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/
MyPersistentLoginManager.java
private String getCookieDomain(HttpServletRequest request)
String servername = request.getServerName();
should be changed to
String servername = "." + request.getServerName();
--
If you want to get to the top, you have to start at the bottom
5248
days inactive
5251
days old
1 comments
1 participants
participants (1)
-
Ivan Levashew