[PATCH] middleware: use secure cookies over secure connections
Thomas De Schampheleire
patrickdepinguin at gmail.com
Thu Mar 5 03:34:45 EST 2015
Hi Andrew,
On Thu, Mar 5, 2015 at 8:01 AM, Andrew Shadura <andrew at shadura.me> wrote:
> Hello,
>
> On Thu, 05 Mar 2015 06:58:30 +0100
> Thomas De Schampheleire
> <patrickdepinguin at gmail.com> wrote:
>
>> Then with this wrapper, can't we also change the cookie name to
>> append the port, as an alternative to my recent patch fixing it in
>> the config file?
>
> In theory, yes, but I'm not sure we should :) I'm not sure however, the
> port is the only thing to distinguish between different services. If it
> were me, I'd have different services running on the same port, but I'd
> had them available at different domains. Given that, I think your
> original patch might be better.
But if you use different domains, then the cookies would be unique,
correct? One cookie would be for example.com:80 with name
kallithea-80, and the other for otherexample.com:80 with name
kallithea-80. These cookies cannot collide, AFAIK.
I think the same is true when using subdomains. At least, in RFC6265 I
don't see a mention about this not working.
The biggest disadvantage with my current patch is that we're using the
app_instance_secret that could be needed for some other purpose in the
future.
More information about the kallithea-general
mailing list