[PATCH] ini file: make cookie name unique

Mads Kiilerich mads at kiilerich.com
Fri Mar 6 11:26:36 EST 2015 

On 03/04/2015 09:57 PM, Thomas De Schampheleire wrote:
> # HG changeset patch
> # User Thomas De Schampheleire <thomas.de.schampheleire at gmail.com>
> # Date 1425502595 -3600
> #      Wed Mar 04 21:56:35 2015 +0100
> # Node ID d88fe779ac6cf324062c6a4bd8b5071c8de32c3f
> # Parent  fc311d8c3997063a8c6020f4e8d32ca77be339e5
> ini file: make cookie name unique
>
> When several instances of Kallithea are running on the same machine, the
> same browser cannot be logged into both instances at the same time without
> conflicts. The login session are saved into the same cookie; logging into
> one instance closes the session on the second instance and vice-versa.
>
> This is caused because the cookie name is simply 'kallithea', combined with
> the fact that the cookie specification (RFC6265) states that there is no
> isolation of cookies based on port. This means that the browser sends all
> cookies from a given domain with all services (Kallithea instances) running
> on that domain, irrespective of port.
>
> The services thus need to handle any such issue themselves, for example by
> using unique cookie names and only interacting with one's own cookie.
>
> This commit uses the paster-provided 'app_instance_secret' to make the
> cookie name unique. We cannot/should not use the app_instance_uuid, because
> this is already used as beaker session secret; exposing it to the cookie is
> insecure. On the other hand, app_instance_secret is not used at all yet so
> can safely be used.

I don't think it is ok to use app_instance_secret. It is a "secret". 
Exposing it will probably at some point end up having security implications.

> Regarding other ways to make the cookie name unique:
> - the port number itself would be sufficiently unique; however it is not
>    known at installation time which port the user will use. Depending on the
>    user to make the cookie name unique is not realistic.

It is only a problem for developers and admins that happens to run 
multiple instances. I don't think the problem is that big and it might 
be realistic to ask the admins to make them unique if they care.

> - any other random number would be fine, but it's unclear (to me) how to
>    generate such a number through the 'paster make-config' method.

Neither do I ... but it seems like that is the only good solution.

> - the name of the config file is not sufficiently unique, as the same
>    machine could host two Kallithea instances from two different installation
>    directories with the same config file names.

I guess that also would require defining a custom template keyword?

It could perhaps use the full %(here) path? Or would that be too long or 
contain invalid characters? Some would probably also consider that an 
unfortunate information leak... Then perhaps a hash? But that would 
require a custom template keyword too ...

> diff --git a/kallithea/config/deployment.ini_tmpl b/kallithea/config/deployment.ini_tmpl
> --- a/kallithea/config/deployment.ini_tmpl
> +++ b/kallithea/config/deployment.ini_tmpl
> @@ -345,7 +345,7 @@
>   ## file based cookies (default) ##
>   #beaker.session.type = file
>   
> -beaker.session.key = kallithea
> +beaker.session.key = kallithea-${app_instance_secret}

A simple improvement would be to document that this actually is a cookie 
name (if I understand you correctly) and when it should be customized.

/Mads

More information about the kallithea-general mailing list