Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1821

Cannot set cookie domain to wildcard version of exact host

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 2.0.4, 2.1
    • 1.6.2, 2.0.3
    • SSO
    • None

      If Crowd is sitting on example.com, you are not able to set the cookie domain to .example.com. This should be allowed, see http://stackoverflow.com/questions/1062963/how-do-browser-cookie-domains-work

      Relevant code is in UpdateGeneral.java:

                  if (!(domain.equals("") || domain.equals(actualDomain) || (domain.startsWith(".") && actualDomain.endsWith(domain))))
                  {
                      addFieldError("domain", getText("options.domain.invalid"));
                  }
      

            [CWD-1821] Cannot set cookie domain to wildcard version of exact host

            Also worth noting that you need at least 2 dots in the cookie domain...

            Yes, except for:

            [NETSC] did try to deal with the problem by requiring two internal
            dots in the domain attribute (e.g. example.co.uk) when the TLD is not
            one of the specified generic ones. Unfortunately, this rule was
            never implemented correctly, and if it had been, it would have made
            it impossible to use cookies in the many flat ccTLD domains.

            Erik van Zijst (Inactive) added a comment - Also worth noting that you need at least 2 dots in the cookie domain... Yes, except for : [NETSC] did try to deal with the problem by requiring two internal dots in the domain attribute (e.g. example.co.uk) when the TLD is not one of the specified generic ones. Unfortunately, this rule was never implemented correctly, and if it had been, it would have made it impossible to use cookies in the many flat ccTLD domains.

            shihab added a comment -

            Also worth noting that you need at least 2 dots in the cookie domain for it to be considered valid: http://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain

            Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

            shihab added a comment - Also worth noting that you need at least 2 dots in the cookie domain for it to be considered valid: http://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

            shihab added a comment -

            We'll patch it for 1.7-studio-4 and give you the changeset

            shihab added a comment - We'll patch it for 1.7-studio-4 and give you the changeset

            So... where's the patch?

            David O'Flynn [Atlassian] added a comment - So... where's the patch?

            shihab added a comment -

            This also affects Login.java: isDomainValid in an identical manner.

            shihab added a comment - This also affects Login.java: isDomainValid in an identical manner.

              evzijst Erik van Zijst (Inactive)
              shamid@atlassian.com shihab
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: