[Zope] [sort-of offtopic] cookies, http, and https.
Martijn Pieters
mj@antraciet.nl
Thu, 15 Jul 1999 15:03:19 +0200
At 14:39 15/07/99 , Anthony Baxter wrote:
>Ok, so I have a number of sites in the domain ekno.lonelyplanet.com.
>
>I want to share cookies amongst them, so that the user only has to log in
>once, and the cookies (with a 30 minute lifetime) will pass that on to the
>others.
>
>Problem: one of the sites is http, the other https. Setting a cookie from
>the http site with a domain of '.ekno.lonelyplanet.com' _should_ result
>in it also being delivered to the https site, but doesn't.
>
>As far as I can tell, both Navigator and IE are refusing to send the cookie
>set from the http site to the https site. Presumably this is some poor idea
>of security.
>
>Has anyone else seen this, and, more importantly, has anyone else found
>a workaround?
I have no direct experience with this, but maybe this will help:
You can add the flag 'secure' to your cookie, signalling it can be
transmitted over a secure channel. You might have to set the cookie twice,
one with, and one without the 'secure' flag. Not sure if this will work...
Have a look at the original propoposal from Netscape for more info (yeah
right):
http://home.netscape.com/newsref/std/cookie_spec.html
--
Martijn Pieters, Web Developer
| Antraciet http://www.antraciet.nl
| Tel: +31-35-7502100 Fax: +31-35-7502111
| mailto:mj@antraciet.nl http://www.antraciet.nl/~mj
| PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
------------------------------------------