Thanks for the info Andreas, Just FYI i solved this by encrypting the __ac_name and __ac_password values in the URL and then hacked CookieCrumbler.py to decrypt them before it sets the cookie. I was wondering if this would be a useful inclusion into the main CMF code tree? The general idea is that the user would setup the path to a method called decrypt as a property of the cookie crumbler. If this property is non NULL the cookie crumbler calls it to decrypt the values b4 setting the cookie, in an instance where the value is not decrypted the decryption mechanism should return the value passed to it. --- Andreas Jung <lists@andreas-jung.com> wrote:
--On Donnerstag, 23. Dezember 2004 11:47 Uhr -0800 Declan Shanaghy <declan@shanaghy.com> wrote:
I have set up a portal of shopping sites. Each merchant we support has their own domain set up.
e.g.
Seeing as they are shopping sites certain pages have to be handled by SSL.
Due to SSL limitations only 1 SSL domain +certificate can exist per ip, and we only have 1 ip. Therefore my solution is that for non SSL pages the merchant can use their own unique domain name, but all SSL pages will be redirected to
https://merchantname.portal.com and an SSL certificate is setup with a CN of *.portal.com
A problem arises when switching between domains like this. The login cookie is lost. Curently i do a redirect between domains and include __ac_name and __ac_password arguments in the URL so the user stays logged in, but this causes the username and password to be displayed in the address bar in plain text.
I'd like to secure this more.
Is there any way that i could
A - Encrypt __ac_name and __ac_password values?
or
B - Set the cookie for both domains so name and password dont have to be transferred?
We do something like that:
- if the user visits site A then we assign the user a unique session ID *and* store the __ac cookie on the server side as part of the session info
- if the user visits site B and the session ID must be passed somehow to site B. site B then takes the __ac info stored on the server and sends a setCookie('__ac',...) header to the client
This works only if you can share session informations between sites however this approach might be a bit insecure. At least it works for us within an in-house application.
-aj