[PATCH] middleware: use secure cookies over secure connections
Andrew Shadura
andrew at shadura.me
Thu Mar 5 03:50:29 EST 2015
Hello,
On 5 March 2015 at 09:34, Thomas De Schampheleire
<patrickdepinguin at gmail.com> wrote:
>>> Then with this wrapper, can't we also change the cookie name to
>>> append the port, as an alternative to my recent patch fixing it in
>>> the config file?
>> In theory, yes, but I'm not sure we should :) I'm not sure however, the
>> port is the only thing to distinguish between different services. If it
>> were me, I'd have different services running on the same port, but I'd
>> had them available at different domains. Given that, I think your
>> original patch might be better.
> But if you use different domains, then the cookies would be unique,
> correct? One cookie would be for example.com:80 with name
> kallithea-80, and the other for otherexample.com:80 with name
> kallithea-80. These cookies cannot collide, AFAIK.
Okay, makes sense.
> I think the same is true when using subdomains. At least, in RFC6265 I
> don't see a mention about this not working.
> The biggest disadvantage with my current patch is that we're using the
> app_instance_secret that could be needed for some other purpose in the
> future.
True. I'll hack something around this today.
--
Cheers,
Andrew
More information about the kallithea-general
mailing list