3 files changed, 33 insertions, 0 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index be295a51d..37d7a3dfc 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -18,6 +18,12 @@ Features
 - Added ``pyramid.i18n.make_localizer`` API (broken out from
   ``get_localizer`` guts).
 
+Bug Fixes
+---------
+
+- Don't send port numbers along with domain information in cookies set by
+  AuthTktCookieHelper (see https://github.com/Pylons/pyramid/issues/131).
+
 1.0 (2011-01-30)
 ================
 
diff --git a/pyramid/authentication.py b/pyramid/authentication.py
index cee339532..ad4ddf3ce 100644
--- a/pyramid/authentication.py
+++ b/pyramid/authentication.py
@@ -366,6 +366,18 @@ class AuthTktCookieHelper(object):
 
         cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME'))
 
+        # While Chrome, IE, and Firefox can cope, Opera (at least) cannot
+        # cope with a port number in the cookie domain when the URL it
+        # receives the cookie from does not also have that port number in it
+        # (e.g via a proxy).  In the meantime, HTTP_HOST is sent with port
+        # number, and neither Firefox nor Chrome do anything with the
+        # information when it's provided in a cookie domain except strip it
+        # out.  So we strip out any port number from the cookie domain
+        # aggressively to avoid problems.  See also
+        # https://github.com/Pylons/pyramid/issues/131
+        if ':' in cur_domain:
+            cur_domain = cur_domain.split(':', 1)[0]
+
         cookies = [
             ('Set-Cookie', '%s="%s"; Path=%s%s%s' % (
             self.cookie_name, value, self.path, max_age, self.static_flags)),
diff --git a/pyramid/tests/test_authentication.py b/pyramid/tests/test_authentication.py
index 070b232b5..84d2839c9 100644
--- a/pyramid/tests/test_authentication.py
+++ b/pyramid/tests/test_authentication.py
@@ -580,6 +580,21 @@ class TestAuthTktCookieHelper(unittest.TestCase):
         self.assertTrue(result[1][1].endswith('; Path=/; Domain=localhost'))
         self.failUnless(result[1][1].startswith('auth_tkt='))
 
+    def test_remember_domain_has_port(self):
+        plugin = self._makeOne('secret', wild_domain=False)
+        request = self._makeRequest()
+        request.environ['HTTP_HOST'] = 'example.com:80'
+        result = plugin.remember(request, 'other')
+        self.assertEqual(len(result), 2)
+
+        self.assertEqual(result[0][0], 'Set-Cookie')
+        self.assertTrue(result[0][1].endswith('; Path=/'))
+        self.failUnless(result[0][1].startswith('auth_tkt='))
+
+        self.assertEqual(result[1][0], 'Set-Cookie')
+        self.assertTrue(result[1][1].endswith('; Path=/; Domain=example.com'))
+        self.failUnless(result[1][1].startswith('auth_tkt='))
+        
     def test_remember_string_userid(self):
         plugin = self._makeOne('secret')
         request = self._makeRequest()