You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by will trillich <wi...@serensoft.com> on 2001/05/02 07:39:30 UTC

glimmer of hope -- cookies: www.host.tld vs host.tld

Aha. I found a chink. I still only have one brick in the wall,
but now it seems like i may have a clue as to why the other
bricks have been sitting there, giggling.

to wit:

Cookies are restricted to certain domains, for security reasons.
(Why have a microsoft.com cookie sent to debian.org, right?)
So all cookies need

	domain=box.subnet.intralan.organization.tld

Or at the very least, two segments thereof:

	domain=.org.tld

Which would be sent to any of these hosts:

	www.org.tld
	some.obscure.server.org.tld
	even.here.org.tld

BUT NOT TO

	ord.tlg

Thank you very four-borking-days-lost-forever much.

So, patient gurus laughing-up-your-sleeves, who've known this
from the beginning and have only been waiting for grashopper to
come to the epiphany on his own, would you mind sharing with us
lesser folk... HOW to have cookies work for bare-domain hosts
such as

	this.org
	something.net
	my.tld

to operate as aliases for more specific-style sites such as

	www.this.org
	www.something.net
	a.very.deep.and.remote.server.my.tld

? Please?

at least i'm off the russian roulette kick. for now.

-- 
don't visit this page. it's bad for you. take my expert word for it.
http://www.salon.com/people/col/pagl/2001/03/21/spring/index1.html

will@serensoft.com
http://sourceforge.net/projects/newbiedoc -- we need your brain!
http://www.dontUthink.com/ -- your brain needs us!

OT: Re: glimmer of hope -- cookies: www.host.tld vs host.tld

Posted by ___cliff rayman___ <cl...@genwax.com>.

u can also use the rewrite engine - for our domain genwax.com:
RewriteCond %{HTTP_HOST}        ^genwax\.com$ [NC]
RewriteRule ^(.+)       http://www.genwax.com$1 [R,L]

notice that it also makes sure to convert any case such as:
GeNwAx.com to www.genwax.com

--
___cliff rayman___cliff@genwax.com___http://www.genwax.com/

darren chamberlain wrote:

> will trillich (will@serensoft.com) said something to this effect on 05/02/2001:
> > Cookies are restricted to certain domains, for security reasons.
> > (Why have a microsoft.com cookie sent to debian.org, right?)
> > So all cookies need
> >
> >       domain=box.subnet.intralan.organization.tld
>
> *snip*
>
> A similar thread happened a while ago (see, e.g.,
> http://forum.swarthmore.edu/epigone/modperl/blixnortix/38ECE46E.2FDB261C@vialogix.com);
> Rusty Foster (of kuro5hin.org fame) explained his solution pretty well
> here:
> http://forum.swarthmore.edu/epigone/modperl/blixnortix/38ED1DBD.893F5783@kuro5hin.org
>
> (darren)
>

Re: glimmer of hope -- cookies: www.host.tld vs host.tld

Posted by will trillich <wi...@serensoft.com>.

On Wed, May 02, 2001 at 07:28:05AM -0400, darren chamberlain wrote:
> will trillich (will@serensoft.com) said something to this effect on 05/02/2001:
> > Cookies are restricted to certain domains, for security reasons.
> > (Why have a microsoft.com cookie sent to debian.org, right?)
> > So all cookies need
> > 
> > 	domain=box.subnet.intralan.organization.tld
> 
> *snip*
> 
> A similar thread happened a while ago (see, e.g.,
> http://forum.swarthmore.edu/epigone/modperl/blixnortix/38ECE46E.2FDB261C@vialogix.com);
> Rusty Foster (of kuro5hin.org fame) explained his solution pretty well
> here:
> http://forum.swarthmore.edu/epigone/modperl/blixnortix/38ED1DBD.893F5783@kuro5hin.org

here's the solution rusty posted:

	NameVirtualHost 216.181.35.174  # IP of www.kuro5hin.org

	# Redirect all hostless requests to www VHost
	<VirtualHost 216.181.35.174>
		ServerName kuro5hin.org
		Redirect permanent / http://www.kuro5hin.org/
	</VirtualHost>

	# Proper URI for www.kuro5hin.org
	<VirtualHost 216.181.35.174>
	  ServerName www.kuro5hin.org
	  ...etc...
	</VirtualHost>

how is that different from 

	UseCanonicalName on

-- 
don't visit this page. it's bad for you. take my expert word for it.
http://www.salon.com/people/col/pagl/2001/03/21/spring/index1.html

will@serensoft.com
http://sourceforge.net/projects/newbiedoc -- we need your brain!
http://www.dontUthink.com/ -- your brain needs us!

Re: glimmer of hope -- cookies: www.host.tld vs host.tld

Posted by darren chamberlain <dl...@users.sourceforge.net>.

will trillich (will@serensoft.com) said something to this effect on 05/02/2001:
> Cookies are restricted to certain domains, for security reasons.
> (Why have a microsoft.com cookie sent to debian.org, right?)
> So all cookies need
> 
> 	domain=box.subnet.intralan.organization.tld

*snip*

A similar thread happened a while ago (see, e.g.,
http://forum.swarthmore.edu/epigone/modperl/blixnortix/38ECE46E.2FDB261C@vialogix.com);
Rusty Foster (of kuro5hin.org fame) explained his solution pretty well
here:
http://forum.swarthmore.edu/epigone/modperl/blixnortix/38ED1DBD.893F5783@kuro5hin.org

(darren)

-- 
How is it possible to find meaning in a finite world, given my waist
and shirt size?
    -- Woody Allen

Re: glimmer of hope -- cookies: www.host.tld vs host.tld

Posted by ___cliff rayman___ <cl...@genwax.com>.

Rob Bloodgood wrote:

> > Or at the very least, two segments thereof:
> >
> >       domain=.org.tld
> >
> --- lots of snippage ---
> you have it right at the top.
> assuming you are operating in org.tld, so www.org.tld and modperl.org.tld
> are valid boxes, then you send the domain string as ".$domain".  This one
> cost me about a week, so don't feel too bad!
>

if someone enters our site with domain.tld (no hostname), everything works
fine as long as they keep using relative links.  as soon as they select or get
redirected to an absolute link (usually when changing schemes http <=> https),
then the domain of the cookie fails, and the cookie data is lost (as far as the
browser is concerned).  this problem is avoidable if u insure that a proper
hostname is used along with a domain.tld.  i do this with mod_rewrite. there
are probably many ways to do it, but the effect is the same, insure that the
cookie domain matches through the user's entire session.  someone suggested
using the apache directive "canonical hostname".  my canonical hostname does not
always match the host and domain.tld of my server.  if it does, then this directive
will probably eliminate the "no hostname cookie domain matching problem" (a technical
term ;-) ).

--
___cliff rayman___cliff@genwax.com___http://www.genwax.com/

RE: glimmer of hope -- cookies: www.host.tld vs host.tld

Posted by Rob Bloodgood <ro...@empire2.com>.

> Or at the very least, two segments thereof:
>
> 	domain=.org.tld
>
> Which would be sent to any of these hosts:
>
> 	www.org.tld
> 	some.obscure.server.org.tld
> 	even.here.org.tld
>
> BUT NOT TO
>
> 	ord.tlg
>
> Thank you very four-borking-days-lost-forever much.
>
> So, patient gurus laughing-up-your-sleeves, who've known this
> from the beginning and have only been waiting for grashopper to
> come to the epiphany on his own, would you mind sharing with us
> lesser folk... HOW to have cookies work for bare-domain hosts
> such as
>
> 	this.org
> 	something.net
> 	my.tld
>
> to operate as aliases for more specific-style sites such as
>
> 	www.this.org
> 	www.something.net
> 	a.very.deep.and.remote.server.my.tld

you have it right at the top.
assuming you are operating in org.tld, so www.org.tld and modperl.org.tld
are valid boxes, then you send the domain string as ".$domain".  This one
cost me about a week, so don't feel too bad!

Until now, you've been dealing with not even seeing the cookie header (in
the raw req).  Once the raw req has the right info, (e.g. the Set-Cookie:
header), then it comes down to verifying the info IN the headers. <sigh>

DON'T EXPECT TO SET A COOKIE FOR MULTIPLE DOMAINS.  If you set a cookie for
.this.org, it's not a part of the technology to allow the same cookie to
work w/ .something.net as well.  ALTHO: There's nothing stopping you from
setting cookies from perl.this.org for the .something.org domain if you
expect to go back and forth.

HTH, and good luck!

L8r,
Rob

#!/usr/bin/perl -w
use Disclaimer qw/:standard/;