Received: (qmail 19826 invoked by uid 2012); 23 Dec 1999 12:37:21 -0000 Message-Id: <19991223123721.19822.qmail@hyperreal.org> Date: 23 Dec 1999 12:37:21 -0000 From: Si Ly Reply-To: sly@sily.net To: apbugs@hyperreal.org Subject: I think setting of domains in cookies should be an optional item in zone.properties. X-Send-Pr-Version: 3.2 >Number: 5504 >Category: mod_jserv >Synopsis: I think setting of domains in cookies should be an optional item in zone.properties. >Confidential: no >Severity: serious >Priority: medium >Responsible: jserv >State: open >Class: change-request >Submitter-Id: apache >Arrival-Date: Thu Dec 23 04:40:01 PST 1999 >Last-Modified: Thu Dec 23 15:20:00 PST 1999 >Originator: sly@sily.net >Organization: apache >Release: Apache 1.3.9 + ApacheJServ 1.1b3 >Environment: Red Hat Linux 6.0 (Kernel 2.2.5) Blackdown JDK1.1.7v3 (green threads) >Description: Currently, the call to Cookie.setDomain() is commented out to address bug #2593 -- when the browser requests a page by IP address. (It probably also fix the case where the hostname is not a FQDN, i.e. http://localhost/.) However, this breaks when I want to have multiple Apache servers on different hosts load balancing against the same Servlet Zone. For example, http://www.foo.com/ and https://secure.foo.com/ both hit the same Servlet Zone and want to use the same sessions, but can't. >How-To-Repeat: Have to two Apache hosts, http://www.foo.com/ and https://secure.foo.com/ use the same Servlet Zone. Or even have one host listening on two different ports do the same. Sessions are created for each host (or port). >Fix: I suggest putting an optional property in zone.properties. Perhaps like this: session.cookie.domain=.foo.com >Audit-Trail: From: jon * To: Cc: Subject: Re: mod_jserv/5504: I think setting of domains in cookies should be an optional item in zone.properties. Date: Thu, 23 Dec 1999 11:34:57 -0800 on 12/23/99 4:37 AM, Si Ly wrote: > For > example, http://www.foo.com/ and https://secure.foo.com/ both hit the > same Servlet Zone and want to use the same sessions, but can't. Why not just make it https://www.foo.com? -jon -- Come to the first official Apache Software Foundation Conference! From: Si Ly To: jon * Cc: apbugs@hyperreal.org Subject: Re: mod_jserv/5504: I think setting of domains in cookies should be an optional item in zone.properties. Date: Thu, 23 Dec 1999 15:20:35 -0800 On Thu, Dec 23, 1999 at 11:34:57AM -0800, jon * wrote: > on 12/23/99 4:37 AM, Si Ly wrote: > > > For > > example, http://www.foo.com/ and https://secure.foo.com/ both hit the > > same Servlet Zone and want to use the same sessions, but can't. > > Why not just make it https://www.foo.com? For now, I'm just stuck with a certificate signed for secure.foo.com. But consider this... If I have a pool of Apache servers load balancing, some of the servers may be special. For example, some may be more powerful and run extra services, such as a chat server. In which case, I'd like to point browsers to http://chat.foo.com/, but the main application logic and session management should still be shareable (and live in the same Servlet Zone). It would also be possible that secure.foo.com is a dedicated machine, and SSL wouldn't be available on www.foo.com (which could be a pool of servers). -- Si >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]