[PATCH] ini file: make cookie name unique

Fri Mar 6 11:30:36 EST 2015

On Fri, Mar 6, 2015 at 5:26 PM, Mads Kiilerich <mads at kiilerich.com> wrote:
> On 03/04/2015 09:57 PM, Thomas De Schampheleire wrote:
>>
>> # HG changeset patch
>> # User Thomas De Schampheleire <thomas.de.schampheleire at gmail.com>
>> # Date 1425502595 -3600
>> #      Wed Mar 04 21:56:35 2015 +0100
>> # Node ID d88fe779ac6cf324062c6a4bd8b5071c8de32c3f
>> # Parent  fc311d8c3997063a8c6020f4e8d32ca77be339e5
>> ini file: make cookie name unique
>>
>> When several instances of Kallithea are running on the same machine, the
>> same browser cannot be logged into both instances at the same time without
>> conflicts. The login session are saved into the same cookie; logging into
>> one instance closes the session on the second instance and vice-versa.
>>
>> This is caused because the cookie name is simply 'kallithea', combined
>> with
>> the fact that the cookie specification (RFC6265) states that there is no
>> isolation of cookies based on port. This means that the browser sends all
>> cookies from a given domain with all services (Kallithea instances)
>> running
>> on that domain, irrespective of port.
>>
>> The services thus need to handle any such issue themselves, for example by
>> using unique cookie names and only interacting with one's own cookie.
>>
>> This commit uses the paster-provided 'app_instance_secret' to make the
>> cookie name unique. We cannot/should not use the app_instance_uuid,
>> because
>> this is already used as beaker session secret; exposing it to the cookie
>> is
>> insecure. On the other hand, app_instance_secret is not used at all yet so
>> can safely be used.
>
>
> I don't think it is ok to use app_instance_secret. It is a "secret".
> Exposing it will probably at some point end up having security implications.
>
>> Regarding other ways to make the cookie name unique:
>> - the port number itself would be sufficiently unique; however it is not
>>    known at installation time which port the user will use. Depending on
>> the
>>    user to make the cookie name unique is not realistic.
>
>
> It is only a problem for developers and admins that happens to run multiple
> instances. I don't think the problem is that big and it might be realistic
> to ask the admins to make them unique if they care.
>
>> - any other random number would be fine, but it's unclear (to me) how to
>>    generate such a number through the 'paster make-config' method.
>
>
> Neither do I ... but it seems like that is the only good solution.
>
>> - the name of the config file is not sufficiently unique, as the same
>>    machine could host two Kallithea instances from two different
>> installation
>>    directories with the same config file names.
>
>
> I guess that also would require defining a custom template keyword?
>
> It could perhaps use the full %(here) path? Or would that be too long or
> contain invalid characters? Some would probably also consider that an
> unfortunate information leak... Then perhaps a hash? But that would require
> a custom template keyword too ...
>
>> diff --git a/kallithea/config/deployment.ini_tmpl
>> b/kallithea/config/deployment.ini_tmpl
>> --- a/kallithea/config/deployment.ini_tmpl
>> +++ b/kallithea/config/deployment.ini_tmpl
>> @@ -345,7 +345,7 @@
>>   ## file based cookies (default) ##
>>   #beaker.session.type = file
>>   -beaker.session.key = kallithea
>> +beaker.session.key = kallithea-${app_instance_secret}
>
>
> A simple improvement would be to document that this actually is a cookie
> name (if I understand you correctly) and when it should be customized.
>

I haven't tested it yet, but I thank that Andrew's patch wrapping
around beaker's sessionmiddleware can be used to append the port to
the cookie name on the fly, thus not needing tweaks in the config
file...