• Type: Bug
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 2.0.4, 2.1
• Affects Version/s: 1.6.2, 2.0.3
• Component/s: SSO
• Labels:

  None

[CWD-1821] Cannot set cookie domain to wildcard version of exact host

Collapse comment: Erik van Zijst (Inactive) added a comment - 10/Feb/2010 6:36 AM

Erik van Zijst (Inactive) added a comment - 10/Feb/2010 6:36 AM

Also worth noting that you need at least 2 dots in the cookie domain...

Yes, except for:

[NETSC] did try to deal with the problem by requiring two internal
dots in the domain attribute (e.g. example.co.uk) when the TLD is not
one of the specified generic ones. Unfortunately, this rule was
never implemented correctly, and if it had been, it would have made
it impossible to use cookies in the many flat ccTLD domains.

Expand comment: Erik van Zijst (Inactive) added a comment - 10/Feb/2010 6:36 AM

Erik van Zijst (Inactive) added a comment - 10/Feb/2010 6:36 AM Also worth noting that you need at least 2 dots in the cookie domain... Yes, except for : [NETSC] did try to deal with the problem by requiring two internal dots in the domain attribute (e.g. example.co.uk) when the TLD is not one of the specified generic ones. Unfortunately, this rule was never implemented correctly, and if it had been, it would have made it impossible to use cookies in the many flat ccTLD domains.

Collapse comment: shihab added a comment - 10/Feb/2010 1:30 AM

shihab added a comment - 10/Feb/2010 1:30 AM

Also worth noting that you need at least 2 dots in the cookie domain for it to be considered valid: http://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain

Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

Expand comment: shihab added a comment - 10/Feb/2010 1:30 AM

shihab added a comment - 10/Feb/2010 1:30 AM Also worth noting that you need at least 2 dots in the cookie domain for it to be considered valid: http://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

Collapse comment: shihab added a comment - 10/Feb/2010 12:41 AM

shihab added a comment - 10/Feb/2010 12:41 AM

We'll patch it for 1.7-studio-4 and give you the changeset

Expand comment: shihab added a comment - 10/Feb/2010 12:41 AM

shihab added a comment - 10/Feb/2010 12:41 AM We'll patch it for 1.7-studio-4 and give you the changeset

Collapse comment: David O'Flynn [Atlassian] added a comment - 10/Feb/2010 12:29 AM

David O'Flynn [Atlassian] added a comment - 10/Feb/2010 12:29 AM

So... where's the patch?

Expand comment: David O'Flynn [Atlassian] added a comment - 10/Feb/2010 12:29 AM

David O'Flynn [Atlassian] added a comment - 10/Feb/2010 12:29 AM So... where's the patch?

Collapse comment: shihab added a comment - 10/Feb/2010 12:23 AM

shihab added a comment - 10/Feb/2010 12:23 AM

This also affects Login.java: isDomainValid in an identical manner.

Expand comment: shihab added a comment - 10/Feb/2010 12:23 AM

shihab added a comment - 10/Feb/2010 12:23 AM This also affects Login.java: isDomainValid in an identical manner.