Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1821

Cannot set cookie domain to wildcard version of exact host

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 2.0.4, 2.1
    • 1.6.2, 2.0.3
    • SSO
    • None

      If Crowd is sitting on example.com, you are not able to set the cookie domain to .example.com. This should be allowed, see http://stackoverflow.com/questions/1062963/how-do-browser-cookie-domains-work

      Relevant code is in UpdateGeneral.java:

                  if (!(domain.equals("") || domain.equals(actualDomain) || (domain.startsWith(".") && actualDomain.endsWith(domain))))
                  {
                      addFieldError("domain", getText("options.domain.invalid"));
                  }
      

            [CWD-1821] Cannot set cookie domain to wildcard version of exact host

            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 - restricted [ 1509627 ] New: JAC Bug Workflow v3 [ 3364027 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 [ 1391791 ] New: Simplified Crowd Development Workflow v2 - restricted [ 1509627 ]
            Owen made changes -
            Workflow Original: Crowd Development Workflow v2 [ 273585 ] New: Simplified Crowd Development Workflow v2 [ 1391791 ]
            jawong.adm made changes -
            Workflow Original: JIRA Bug Workflow v2 [ 200791 ] New: Crowd Development Workflow v2 [ 273585 ]
            Erik van Zijst (Inactive) made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Open [ 1 ] New: Resolved [ 5 ]
            David O'Flynn [Atlassian] made changes -
            Fix Version/s New: 2.1 [ 14496 ]
            David O'Flynn [Atlassian] made changes -
            Fix Version/s New: 2.0.4 [ 15040 ]
            Erik van Zijst (Inactive) made changes -
            Status Original: In Progress [ 3 ] New: Open [ 1 ]

            Also worth noting that you need at least 2 dots in the cookie domain...

            Yes, except for:

            [NETSC] did try to deal with the problem by requiring two internal
            dots in the domain attribute (e.g. example.co.uk) when the TLD is not
            one of the specified generic ones. Unfortunately, this rule was
            never implemented correctly, and if it had been, it would have made
            it impossible to use cookies in the many flat ccTLD domains.

            Erik van Zijst (Inactive) added a comment - Also worth noting that you need at least 2 dots in the cookie domain... Yes, except for : [NETSC] did try to deal with the problem by requiring two internal dots in the domain attribute (e.g. example.co.uk) when the TLD is not one of the specified generic ones. Unfortunately, this rule was never implemented correctly, and if it had been, it would have made it impossible to use cookies in the many flat ccTLD domains.

            shihab added a comment -

            Also worth noting that you need at least 2 dots in the cookie domain for it to be considered valid: http://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain

            Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

            shihab added a comment - Also worth noting that you need at least 2 dots in the cookie domain for it to be considered valid: http://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

              evzijst Erik van Zijst (Inactive)
              shamid@atlassian.com shihab
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: