Follow-up Comment #1, bug #6694 (project savane):
Hum, indeed there is something odd here.
What is for sure is that we want the cookie to be available to
"savannah.cern.ch" when created on "savannah.cern.ch", not to "cern.ch"
(initially, that was how it worked, I think with the original sourceforge).
Then, I think it would be sensible and frequently useful to have the cookie
available to all subdomains of the main domain. In the case of gna.org, as
the main domain is short, it means for all gna.org. In case of
"savannah.cern.ch", I think the cookie should be available also to
"*.savannah.cern.ch".
mail.gna.org is an example of the usefulness of being able to share cookies.
Someone may want to share savane session with differents things (annotate on
viewcvs, whatever), the easier way to do it is not to reimplement the
authentication process but to share the cookie and session id.
Now, how to deal with the issue? Normally, only session related cookies needs
to have the *.domain.net cookie, (most of) the others can stay without
parameter, that will be fine. This reminds me something, I even think the
noticed inconsistency was actually on purpose (but this should have be
mentioned in a comment in the code).
But session-related cookies should first check if the domain name is
acceptable in a cookie, that's probably the bug, as I dont think such check
is made.
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?func=detailitem&item_id=6694>
_______________________________________________
Message posté via/par Gna!
http://gna.org/
_______________________________________________
Savane-dev mailing list
[email protected]
https://mail.gna.org/listinfo/savane-dev
