AW: [Zope] Sharing session information between domains

Germer, Carsten carsten.germer@desy.de
Wed, 25 Jun 2003 09:41:11 +0200 

>From my experience, if the two machines are in the same domain it =
already is
done.
If you use cookiecrumbler the cookie seems to be set to be accessible
domain-wide (if it's not already and I'm wrong, it's an easy patch).
Then when you have www.mydom.com and secure.mydom.com they will both =
get and
use the sessioncookie :)

Cookiesharing with CookieCrumbler definately works when you do
http://www.mydom.com/ and https://www.mydom.com/, have set that up, no
problem with session consistency.

Hope that helps, Carsten

> -----Urspr=FCngliche Nachricht-----
> Von: Dylan Reinhardt [mailto:zope@dylanreinhardt.com]
> Gesendet: Mittwoch, 25. Juni 2003 00:14
> An: Alec Munro
> Cc: zope@zope.org
> Betreff: Re: [Zope] Sharing session information between domains
>=20
>=20
> Ah... yes.  Huge difference.  Much easier.
>=20
> In this case, all I would suspect you need is a way of=20
> recognizing that
> the cookie produced by one domain should be linked to the cookie that
> was produced by another. =20
>=20
> Probably the easiest way to do this is to include content from both
> domains in one crucial page, such as the shopping cart view=20
> page.  When
> that page is loaded, you can set matching domain-specific cookies =
that
> will enable you to follow the client across domains.
>=20
> Dylan
>=20
>=20
> On Tue, 2003-06-24 at 14:05, Alec Munro wrote:
> > I realize that I forgot to mention that both the SSL and=20
> non sites are=20
> > running off of the same Zope instance, on the same machine.=20
> I imagine=20
> > your solution would probably still work, but I was hoping=20
> that there=20
> > would be something simpler. Thanks for the advice.
> >=20
> > Alec
> >=20
> > Dylan Reinhardt wrote:
> >=20
> > >I set up something like this that consisted of a two-way secure
> > >conversation.  If we label the public server X and the=20
> secure server Y:
> > >
> > >1. X prepares Y for client, shares some kind of token=20
> and/or cart id.
> > >2. Client visits Y using specially constructed URL, token, etc.
> > >3. Y retrieves cart securely from X each time data is needed.
> > >4. Billing data entered into Y stays on Y
> > >5. Y SSL-posts to X which items to mark as purchased. =20
> > >
> > >There are probably other ways to do this, but the above can be
> > >implemented pretty easily with external methods and a=20
> crypto library.
> > >
> > >HTH,
> > >
> > >Dylan
> > >
> > >
> > >
> > >On Tue, 2003-06-24 at 11:28, Alec Munro wrote:
> > > =20
> > >
> > >>Hi all,
> > >>
> > >>I have what I'm sure is the common predicament of having=20
> an SSL site=20
> > >>with a different domain than the non-SSL site. In fact, I=20
> have several=20
> > >>domains utilizing the same domain for SSL transactions. I=20
> need to figure=20
> > >>out a way of sharing session information between two=20
> domains, such that=20
> > >>the user can move relatively freely between the domains=20
> without losing=20
> > >>any information.
> > >>Just for an example of how this needs to work:
> > >>
> > >>user comes to site (session created, insecure)
> > >>user adds product to shopping cart (insecure)
> > >>user checks out (goes to secure site)
> > >>user inputs payment info (secure)
> > >>user remembers he forgot something, goes back to=20
> catalogue (insecure)
> > >>user add another product to cart (insecure)
> > >>user checks out, payment information already input (secure)
> > >>user submits order (secure)
> > >>
> > >>The important part is that the users personal information=20
> is never=20
> > >>transmitted insecurely, while the amount of information that is=20
> > >>transmitted securely is kept to a minimum.
> > >>This seems like a relatively common problem, so I would=20
> appreciate any help.
> > >>
> > >>Thanks for your time,
> > >>
> > >>Alec Munro
> > >>EOA Scientific Systems
> > >>
> > >>
> > >>
> > >>_______________________________________________
> > >>Zope maillist  -  Zope@zope.org
> > >>http://mail.zope.org/mailman/listinfo/zope
> > >>**   No cross posts or HTML encoding!  **
> > >>(Related lists -=20
> > >> http://mail.zope.org/mailman/listinfo/zope-announce
> > >> http://mail.zope.org/mailman/listinfo/zope-dev )
> > >>   =20
> > >>
> > >
> > > =20
> > >
> >=20
> >=20
> >=20
> > _______________________________________________
> > Zope maillist  -  Zope@zope.org
> > http://mail.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -=20
> >  http://mail.zope.org/mailman/listinfo/zope-announce
> >  http://mail.zope.org/mailman/listinfo/zope-dev )
>=20
>=20
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -=20
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>=20