Add a parent_domain option for auth_tkt policy

[wichert]

This change adds a new parent_domain option to AuthTktAuthenticationPolicy which sets the authentication cookie as a wildcard cookie on the parent domain. This is useful if you have multiple sites sharing the same domain.

[mmerickel]

Does this actually work? I was under the impression that a subdomain could not set a cookie for a parent domain for security reasons.

[digitalresistor]

There is some discussion on this on SO: http://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com

[wichert]

It works just fine and used very often.

[wichert]

There are a couple of relevant standards here:

• RFC 2109 basically says that a server can only set a cookie which would be received by that same server: cookies must be rejected of the current URI does not match the cookie parameters.
• RFC 6265, in particular section 5.1.3 and section 5.2.3 change the domain matching rules a bit: the leading dot in a domain parameter is always ignored and cookies will always be send to subdomains. I don't know which browsers do and do not support this, so it is safest to include the loading dot.

Setting cookies on the parent domain is incredibly useful if you want to share a cookie between multiple services running within a domain. One example of a popular service that uses this is google analytics. If I click around a bit on www.bonprix.de for example I start with GA cookies for just www.bonprix.de but after a few clicks I also get GA cookies for .bonprix.de, which helps google uses to track visits across multiple sites in the same domain.

[tseaver]

+1

[enmand]

I'm not sure if this warrants creating an issue or not, but when using the parent_domain=True option on AuthTktAuthenticationPolicy, the AuthTktCookieHelper._get_cookies() function still send a Set-Cookie for the domain without the leading '.', since it sends it without a domain= key (https://github.com/znanja/pyramid/blob/master/pyramid/authentication.py#L868)

This causes some problems for example when the user logs in on domain.com, does to sub.domain.com, and logs out again on domain.com. This is a bit of a convoluted path, but you can see other potential issues that might arise.

I would say if parent_domain=True, don't send the first 'Set-Cookie' header without the domain= key. RFC 6265 section 5.1.3 quoted above seems to allow for this.

[landreville]

Just wanted to note that this has the same problem as an earlier pull request I submitted: #450. When the domain has a multi-part public suffix such as "example.co.uk" it will set the cookie on ".co.uk" instead of the correct "example.co.uk".

Here is an example test that fails:

def test_remember_parent_domain_multipart_suffix(self):
        helper = self._makeOne('secret', parent_domain=True)
        request = self._makeRequest()
        request.domain = 'example.co.uk'
        result = helper.remember(request, 'other')
        self.assertEqual(len(result), 1)

        self.assertEqual(result[0][0], 'Set-Cookie')
        self.assertTrue(result[0][1].endswith('; Domain=example.co.uk; Path=/'))
        self.assertTrue(result[0][1].startswith('auth_tkt='))

[digitalresistor]

@landreville Unfortunately there is not much that Pyramid can do. We don't want to depend on hardcoding the list of "top-level" domain names, nor do we want to depend on packages that do this already.

[mmerickel]

This is really the responsibility of the developer to make sure their app is not doing this. They know where it will be hosted, and have control over the settings.