Description of problem: A shared (or even a personal) development server will typically have many instances of CCM operational. The spec for cookies says that their names are unique within a domain - there is no scope for including a port number there (some browsers do allow it, but that's not part of the spec & IE specifically doesn't allow it). There is however a simple solution to this problem, which is instead of simply setting a cookie named 'ad_user_login' we can prepend the name of the site hostname &/ port number, eg 'dev.london.redhat.com-9002-login'. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Start two servers on a single machine, but different port 2. Login to one server 3. Login to the other server 4. Go back to a page on the first server Actual results: You are logged out Expected results: You are still logged in. Additional info:
The following is sufficient to provide uniqueness of cookies across all dev servers on a single host. dan@camden$ p4 diff -dc //core-platform/dev/src/com/arsdigita/kernel/security/CookieLoginModule.java ==== //core-platform/dev/src/com/arsdigita/kernel/security/CookieLoginModule.java#6 - /var/ccm-devel/dev/dan/aplaws-rickshaw/core/src/com/arsdigita/kernel/security/CookieLoginModule.java ==== *************** *** 16,21 **** --- 16,24 ---- package com.arsdigita.kernel.security; import org.apache.log4j.Logger; + import javax.security.auth.login.LoginException; + + import com.arsdigita.web.Web; /** * Logs in a user if the user has a valid authentication cookie. *************** *** 35,38 **** --- 38,47 ---- public CookieLoginModule() { super(new CookieManager()); } + + protected String getCredentialName() + throws LoginException { + return super.getCredentialName() + "_" + + Web.getConfig().getHost().getPort(); + } } dan@camden$
Closing old tickets