diff options
| author | Chris McDonough <chrism@plope.com> | 2011-02-22 16:21:39 -0500 |
|---|---|---|
| committer | Chris McDonough <chrism@plope.com> | 2011-02-22 16:21:39 -0500 |
| commit | 0fd8eab45796417bbd8653d3f4e952135d4f8960 (patch) | |
| tree | 35d80278fe2d206630d51af9495642583e55f851 | |
| parent | 182aa7439f764cfe7811c68f7aedb291bc16d56b (diff) | |
| download | pyramid-0fd8eab45796417bbd8653d3f4e952135d4f8960.tar.gz pyramid-0fd8eab45796417bbd8653d3f4e952135d4f8960.tar.bz2 pyramid-0fd8eab45796417bbd8653d3f4e952135d4f8960.zip | |
From the code:
# While Chrome, IE, and Firefox can cope, Opera (at least) cannot
# cope with a port number in the cookie domain when the URL it
# receives the cookie from does not also have that port number in it
# (e.g via a proxy). In the meantime, HTTP_HOST is sent with port
# number, and neither Firefox nor Chrome do anything with the
# information when it's provided in a cookie domain except strip it
# out. So we strip out any port number from the cookie domain
# aggressively to avoid problems. See also
# https://github.com/Pylons/pyramid/issues/131
Closes #131
| -rw-r--r-- | CHANGES.txt | 6 | ||||
| -rw-r--r-- | pyramid/authentication.py | 12 | ||||
| -rw-r--r-- | pyramid/tests/test_authentication.py | 15 |
3 files changed, 33 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index be295a51d..37d7a3dfc 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -18,6 +18,12 @@ Features - Added ``pyramid.i18n.make_localizer`` API (broken out from ``get_localizer`` guts). +Bug Fixes +--------- + +- Don't send port numbers along with domain information in cookies set by + AuthTktCookieHelper (see https://github.com/Pylons/pyramid/issues/131). + 1.0 (2011-01-30) ================ diff --git a/pyramid/authentication.py b/pyramid/authentication.py index cee339532..ad4ddf3ce 100644 --- a/pyramid/authentication.py +++ b/pyramid/authentication.py @@ -366,6 +366,18 @@ class AuthTktCookieHelper(object): cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME')) + # While Chrome, IE, and Firefox can cope, Opera (at least) cannot + # cope with a port number in the cookie domain when the URL it + # receives the cookie from does not also have that port number in it + # (e.g via a proxy). In the meantime, HTTP_HOST is sent with port + # number, and neither Firefox nor Chrome do anything with the + # information when it's provided in a cookie domain except strip it + # out. So we strip out any port number from the cookie domain + # aggressively to avoid problems. See also + # https://github.com/Pylons/pyramid/issues/131 + if ':' in cur_domain: + cur_domain = cur_domain.split(':', 1)[0] + cookies = [ ('Set-Cookie', '%s="%s"; Path=%s%s%s' % ( self.cookie_name, value, self.path, max_age, self.static_flags)), diff --git a/pyramid/tests/test_authentication.py b/pyramid/tests/test_authentication.py index 070b232b5..84d2839c9 100644 --- a/pyramid/tests/test_authentication.py +++ b/pyramid/tests/test_authentication.py @@ -580,6 +580,21 @@ class TestAuthTktCookieHelper(unittest.TestCase): self.assertTrue(result[1][1].endswith('; Path=/; Domain=localhost')) self.failUnless(result[1][1].startswith('auth_tkt=')) + def test_remember_domain_has_port(self): + plugin = self._makeOne('secret', wild_domain=False) + request = self._makeRequest() + request.environ['HTTP_HOST'] = 'example.com:80' + result = plugin.remember(request, 'other') + self.assertEqual(len(result), 2) + + self.assertEqual(result[0][0], 'Set-Cookie') + self.assertTrue(result[0][1].endswith('; Path=/')) + self.failUnless(result[0][1].startswith('auth_tkt=')) + + self.assertEqual(result[1][0], 'Set-Cookie') + self.assertTrue(result[1][1].endswith('; Path=/; Domain=example.com')) + self.failUnless(result[1][1].startswith('auth_tkt=')) + def test_remember_string_userid(self): plugin = self._makeOne('secret') request = self._makeRequest() |