[kinda not related directly to zope, but indirectly, it is the sort of thing that people using zope are likely to hit. hit 'delete' if you're easily offended by off-topicness] Ok, so I have a number of sites in the domain ekno.lonelyplanet.com. I want to share cookies amongst them, so that the user only has to log in once, and the cookies (with a 30 minute lifetime) will pass that on to the others. Problem: one of the sites is http, the other https. Setting a cookie from the http site with a domain of '.ekno.lonelyplanet.com' _should_ result in it also being delivered to the https site, but doesn't. As far as I can tell, both Navigator and IE are refusing to send the cookie set from the http site to the https site. Presumably this is some poor idea of security. Has anyone else seen this, and, more importantly, has anyone else found a workaround? Thanks, Anthony.
At 14:39 15/07/99 , Anthony Baxter wrote:
Ok, so I have a number of sites in the domain ekno.lonelyplanet.com.
I want to share cookies amongst them, so that the user only has to log in once, and the cookies (with a 30 minute lifetime) will pass that on to the others.
Problem: one of the sites is http, the other https. Setting a cookie from the http site with a domain of '.ekno.lonelyplanet.com' _should_ result in it also being delivered to the https site, but doesn't.
As far as I can tell, both Navigator and IE are refusing to send the cookie set from the http site to the https site. Presumably this is some poor idea of security.
Has anyone else seen this, and, more importantly, has anyone else found a workaround?
I have no direct experience with this, but maybe this will help: You can add the flag 'secure' to your cookie, signalling it can be transmitted over a secure channel. You might have to set the cookie twice, one with, and one without the 'secure' flag. Not sure if this will work... Have a look at the original propoposal from Netscape for more info (yeah right): http://home.netscape.com/newsref/std/cookie_spec.html -- Martijn Pieters, Web Developer | Antraciet http://www.antraciet.nl | Tel: +31-35-7502100 Fax: +31-35-7502111 | mailto:mj@antraciet.nl http://www.antraciet.nl/~mj | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 ------------------------------------------
At 15:39 +0300 15.7.1999, Anthony Baxter wrote:
As far as I can tell, both Navigator and IE are refusing to send the cookie set from the http site to the https site. Presumably this is some poor idea of security.
Well, the 'net security solutions related to https generally seem to involve totally disabling any and all data exchange possible. :( Some versions of browsers go totally haywire if you have an HTML page served from an https site that links to an image on an http site... The behaviour of browsers in relation to https varies wildly with the version of the browser and seems to generally become stricter as time passes. Most probably this is due to the fact people are very good at finding exploits..
Has anyone else seen this, and, more importantly, has anyone else found a workaround?
The only workaround we've figured out is to link from site to site with GET URL's that point to scripts and then set the cookie separately. That's sure to work with all browsers - I wouldn't trust setting a cookie "secure" as suggested here earlier with the amount of different cookie implementations out there but then you're free to try. :) Jussi --- Jussi Haro Chief Technical Designer Grey Interactive Helsinki - http://www.greyinteractive.fi/ Tel. +358 9 6957 467 Fax. +358 9 6957 660
participants (3)
-
Anthony Baxter -
Jussi Haro -
Martijn Pieters