Bug 111802

Summary: Login cookie name should be unique to a server instance
Product: [Retired] Red Hat Web Application Framework Reporter: Daniel Berrangé <berrange>
Component: otherAssignee: ccm-bugs-list
Status: CLOSED WONTFIX QA Contact: Jon Orris <jorris>
Severity: medium Docs Contact:
Priority: medium    
Version: nightly   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-09-02 17:30:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Berrangé 2003-12-10 11:01:47 UTC 
Description of problem:
A shared (or even a personal) development server will typically have
many instances of CCM operational. The spec for cookies says that
their names are unique within a domain - there is no scope for
including a port number there (some browsers do allow it, but that's
not part of the spec & IE specifically doesn't allow it).

There is however a simple solution to this problem, which is instead
of simply setting a cookie named 'ad_user_login' we can prepend the
name of the site hostname &/ port number, eg
'dev.london.redhat.com-9002-login'.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Start two servers on a single machine, but different port
2. Login to one server
3. Login to the other server
4. Go back to a page on the first server
  
Actual results:
You are logged out

Expected results:
You are still logged in.

Additional info:
Comment 1 Daniel Berrangé 2004-01-05 16:16:10 UTC 
The following is sufficient to provide uniqueness of cookies across
all dev servers on a single host.

dan@camden$ p4 diff -dc
//core-platform/dev/src/com/arsdigita/kernel/security/CookieLoginModule.java
====
//core-platform/dev/src/com/arsdigita/kernel/security/CookieLoginModule.java#6
-
/var/ccm-devel/dev/dan/aplaws-rickshaw/core/src/com/arsdigita/kernel/security/CookieLoginModule.java
====
***************
*** 16,21 ****
--- 16,24 ----
  package com.arsdigita.kernel.security;
  
  import org.apache.log4j.Logger;
+ import javax.security.auth.login.LoginException;
+ 
+ import com.arsdigita.web.Web;
  
  /**
   * Logs in a user if the user has a valid authentication cookie.
***************
*** 35,38 ****
--- 38,47 ----
      public CookieLoginModule() {
          super(new CookieManager());
      }
+     
+     protected String getCredentialName()
+         throws LoginException {
+         return super.getCredentialName() + "_" + 
+             Web.getConfig().getHost().getPort();
+     }
  }
dan@camden$
Comment 2 Daniel Berrangé 2006-09-02 17:30:36 UTC 
Closing old tickets