[PATCH] ini file: clarify that beaker.session.key should be unique

Thomas De Schampheleire patrickdepinguin at gmail.com
Tue Mar 10 15:02:51 EDT 2015 

# HG changeset patch
# User Thomas De Schampheleire <thomas.de.schampheleire at gmail.com>
# Date 1426014041 -3600
#      Tue Mar 10 20:00:41 2015 +0100
# Node ID 6b1790f954863fa61a32b0028b6cc1ef3add3683
# Parent  66d6dc56479bbe8c1fd5077b5705e2d6b9ee73db
ini file: clarify that beaker.session.key should be unique

When several instances of Kallithea are running on the same machine, the
same browser cannot be logged into both instances at the same time without
conflicts. The login session are saved into the same cookie; logging into
one instance closes the session on the second instance and vice-versa.

This is caused because the cookie name is simply 'kallithea', combined with
the fact that the cookie specification (RFC6265) states that there is no
isolation of cookies based on port. This means that the browser sends all
cookies from a given domain with all services (Kallithea instances) running
on that domain, irrespective of port.

The services thus need to handle any such issue themselves, for example by
using unique cookie names and only interacting with one's own cookie.

Making the key unique when creating the configuration file proved difficult:
- it does not seem possible to hook into 'paster make-config'
- since Beaker directly interprets the beaker.session.key, changing it on
  the fly from SessionMiddleware will not work correctly.

There is a kallithea-config script that is an alternative to 'paster
make-config' which would be the ideal place to make such changes. However,
it seems this method is not advocated over 'paster make-config' (yet?).

Instead, simply add a comment in the config file and let the user take care
of it.

diff --git a/kallithea/bin/template.ini.mako b/kallithea/bin/template.ini.mako
--- a/kallithea/bin/template.ini.mako
+++ b/kallithea/bin/template.ini.mako
@@ -348,6 +348,10 @@
 <%text>## file based cookies (default) ##</%text>
 #beaker.session.type = file
 
+<%text>
+## beaker.session.key should be unique for a given host, even when running
+## on different ports. Otherwise, cookie sessions will be shared and messed up.
+</%text>
 beaker.session.key = kallithea
 beaker.session.secret = ${uuid()}
 
diff --git a/kallithea/config/deployment.ini_tmpl b/kallithea/config/deployment.ini_tmpl
--- a/kallithea/config/deployment.ini_tmpl
+++ b/kallithea/config/deployment.ini_tmpl
@@ -345,6 +345,8 @@
 ## file based cookies (default) ##
 #beaker.session.type = file
 
+## beaker.session.key should be unique for a given host, even when running
+## on different ports. Otherwise, cookie sessions will be shared and messed up.
 beaker.session.key = kallithea
 beaker.session.secret = ${app_instance_uuid}

More information about the kallithea-general mailing list