[PATCH] ini file: make cookie name unique

Thomas De Schampheleire patrickdepinguin at gmail.com
Wed Mar 4 15:57:11 EST 2015


# HG changeset patch
# User Thomas De Schampheleire <thomas.de.schampheleire at gmail.com>
# Date 1425502595 -3600
#      Wed Mar 04 21:56:35 2015 +0100
# Node ID d88fe779ac6cf324062c6a4bd8b5071c8de32c3f
# Parent  fc311d8c3997063a8c6020f4e8d32ca77be339e5
ini file: make cookie name unique

When several instances of Kallithea are running on the same machine, the
same browser cannot be logged into both instances at the same time without
conflicts. The login session are saved into the same cookie; logging into
one instance closes the session on the second instance and vice-versa.

This is caused because the cookie name is simply 'kallithea', combined with
the fact that the cookie specification (RFC6265) states that there is no
isolation of cookies based on port. This means that the browser sends all
cookies from a given domain with all services (Kallithea instances) running
on that domain, irrespective of port.

The services thus need to handle any such issue themselves, for example by
using unique cookie names and only interacting with one's own cookie.

This commit uses the paster-provided 'app_instance_secret' to make the
cookie name unique. We cannot/should not use the app_instance_uuid, because
this is already used as beaker session secret; exposing it to the cookie is
insecure. On the other hand, app_instance_secret is not used at all yet so
can safely be used.

Regarding other ways to make the cookie name unique:
- the port number itself would be sufficiently unique; however it is not
  known at installation time which port the user will use. Depending on the
  user to make the cookie name unique is not realistic.
- any other random number would be fine, but it's unclear (to me) how to
  generate such a number through the 'paster make-config' method.
- the name of the config file is not sufficiently unique, as the same
  machine could host two Kallithea instances from two different installation
  directories with the same config file names.

diff --git a/kallithea/config/deployment.ini_tmpl b/kallithea/config/deployment.ini_tmpl
--- a/kallithea/config/deployment.ini_tmpl
+++ b/kallithea/config/deployment.ini_tmpl
@@ -345,7 +345,7 @@
 ## file based cookies (default) ##
 #beaker.session.type = file
 
-beaker.session.key = kallithea
+beaker.session.key = kallithea-${app_instance_secret}
 beaker.session.secret = ${app_instance_uuid}
 
 ## Secure encrypted cookie. Requires AES and AES python libraries


More information about the kallithea-general mailing list