domain session (cookies) shared across subdomains?

101 views
Skip to first unread message

iaw4

unread,
Apr 27, 2017, 11:31:52 AM4/27/17
to Mojolicious

dear M users.  I am planning to run a hypnotoad server that controls the entire domain ( syllabus.space ).  Thus, I want auth.syllabus.space and info.syllabus.space to share the session.  is this possible?  advice appreciated.  regards, /iaw

Stefan Adams

unread,
Apr 27, 2017, 12:41:27 PM4/27/17
to mojolicious

On Thu, Apr 27, 2017 at 10:31 AM, iaw4 <ivo...@gmail.com> wrote:
dear M users.  I am planning to run a hypnotoad server that controls the entire domain ( syllabus.space ).  Thus, I want auth.syllabus.space and info.syllabus.space to share the session.  is this possible?  advice appreciated.  regards, /iaw

iaw4

unread,
Apr 27, 2017, 12:58:03 PM4/27/17
to Mojolicious

thanks, stefan, again.  would you have an example?  I am using M::Lite with Mojolyst.  so,

...
app->secret( [ 'you', 'me', 'us' ] );
app->sessions->cookie_domain( getfinaltwo( $self->req->url->to_abs->host ) );
app->start();

regards,

/iaw

Stefan Adams

unread,
Apr 27, 2017, 3:54:07 PM4/27/17
to mojolicious

On Thu, Apr 27, 2017 at 11:58 AM, iaw4 <ivo...@gmail.com> wrote:
app->secret( [ 'you', 'me', 'us' ] );
app->sessions->cookie_domain( getfinaltwo( $self->req->url->to_abs->host ) );
app->start();

get '/' => sub {
  my $c = shift;
  $c->app->sessions->cookie_domain(getfinaltwo($c->req->url->to_abs->host));
  $c->session(a=>1)->render(text=>"\n");
};
app->start;
sub getfinaltwo { shift =~ s!^.*?((\.[^\.]+){2})$!$1!r }

$ env MOJO_LOG_LEVEL=info perl /tmp/cookie  get -v -H 'Host: auth.syllabus.space' /
GET / HTTP/1.1
Accept-Encoding: gzip
User-Agent: Mojolicious (Perl)
Content-Length: 0

HTTP/1.1 200 OK
Server: Mojolicious (Perl)
Set-Cookie: mojolicious=eyJhIjoxLCJleHBpcmVzIjoxNDkzMzI2MzU2fQ----f04ee710665cef6c7380dd579a21efae3fcde802; expires=Thu, 27 Apr 2017 20:52:36 GMT; domain=.syllabus.space; path=/; HttpOnly
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Apr 2017 19:52:36 GMT
Content-Length: 1

ivo welch

unread,
Apr 27, 2017, 4:00:25 PM4/27/17
to mojol...@googlegroups.com

thanks, stefan.  This will do if need be, but I was hoping there was a way to tell the app the cookie method right from start, rather than sticking this into each and every url.

----
Ivo Welch (ivo....@gmail.com)
http://www.ivo-welch.info/
J. Fred Weston Distinguished Professor of Finance
Anderson School at UCLA, C524
Free Finance Textbook, http://book.ivo-welch.info/
Exec Editor, Critical Finance Review, http://www.critical-finance-review.org/
Editor and Publisher, FAMe, http://www.fame-jagazine.com/

--
You received this message because you are subscribed to a topic in the Google Groups "Mojolicious" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mojolicious/r6XS1Tc2OM8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mojolicious+unsubscribe@googlegroups.com.
To post to this group, send email to mojol...@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.

Stefan Adams

unread,
Apr 27, 2017, 4:03:46 PM4/27/17
to mojolicious

On Thu, Apr 27, 2017 at 2:59 PM, ivo welch <ivo....@anderson.ucla.edu> wrote:
thanks, stefan.  This will do if need be, but I was hoping there was a way to tell the app the cookie method right from start, rather than sticking this into each and every url.

I imagine you could leverage a hook, like after_dispatch:

hook after_dispatch => sub {
  my $c = shift;
  $c->app->sessions->cookie_domain(getfinaltwo($c->req->url->to_abs->host));
};
get '/1' => sub {
  my $c = shift;
  $c->session(a=>1)->render(text=>"\n");
};
get '/2' => sub {
  my $c = shift;
  $c->session(b=>2)->render(text=>"\n");

iaw4

unread,
Apr 27, 2017, 5:10:35 PM4/27/17
to Mojolicious

thanks, stefan.  this is what I will do, but let me see if I can ping the wizard to see if this can be set globally, so that one does not have to hook this.  this would seem like a good candidate for a global init setting, just like secret setting.

Stefan Adams

unread,
Apr 27, 2017, 5:13:24 PM4/27/17
to mojolicious

On Thu, Apr 27, 2017 at 4:10 PM, iaw4 <ivo...@gmail.com> wrote:
if this can be set globally

It can (app->sessions->cookie_domain('.syllabus.space');), but I don't believe that you will be able to specify a request-specific cookie domain without a hook.  AFAIK

iaw4

unread,
Apr 27, 2017, 7:21:37 PM4/27/17
to Mojolicious

hi stefan---thanks for the help.  it works without the hook, BUT there is a bug of some sort.  I am not clear where.

firefox and safari cannot handle http://subdomain.localhost:3000/ ; only chrome can.  this somewhat limits the testing to this one browser.  

run the following code in a chrome browser.  there are essentially three modes now:

1. comment out the "$cookiedomain="localhost"" line, and run on localhost.  cookies cannot cross subdomain, but they work within subdomains.  this is M's normal behavior.

2. leave as is and run on localhost.  chrome is now no longer able to change the cookie.  it can still read the old cookie (set with 1).

3. comment out the "$cookiedomain="localhost" line, replace with the subsequent line (syllabus.space or whatever other domain you may have lying around), and run the code on this server domain.  everything works perfectly now.  the session can cross subdomains.

I don't know whether this is an M bug or a chrome-localhost bug.  this makes testing more difficult.  the code can now run only in final production mode on the specific server, or I "hand-hook" it.

#!/usr/bin/env perl
use Mojolicious::Lite;

my $cookiedomain;

$cookiedomain= "localhost";  ## comment out to leave cookiedomain undef; then it works for each subdomain, but cookies cannot cross
## $cookiedomain= "syllabus.space";   ## this works just fine when on ; cookies can cross


get '/' => sub {
  my $c= shift;

  ## not needed: ($cookiedomain) and $c->app->sessions->cookie_domain($cookiedomain);
  my $fulldomain= $c->req->url->to_abs->host;
  ($fulldomain =~ /$cookiedomain/) or die "please update the cookie domain to $fulldomain";

  my $incookie= $c->session->{nicecookie} || "NO INCOOKIE DEFINED";
  $c->session->{nicecookie}= time()." at ".$fulldomain;
  my $outcookie= $c->session->{nicecookie};

  my $bigdomain= $cookiedomain || "localhost";
  my $texts= qq(
        <h1> cookie tester </h1>
        <p>our incookie was '$incookie'</p>
        <p>our outcookie is '$outcookie'</p>
        <hr />
        <p>you are currently in domain '$fulldomain' ($bigdomain)</p>
        <hr />
        <p>main domain <a href='http://$bigdomain:3000/'>go to /</a></p>
        <p>subdomain <a href='http://s1.$bigdomain:3000/'>go to /s1</a></p>
        <p>subdomain <a href='http://s2.$bigdomain:3000/'>go to /s2</a></p>
        <hr />
        <p>the cookiedomain is $cookiedomain.</p>
 );

  $c->render(text => $texts);
};

($cookiedomain) and app->sessions->cookie_domain($cookiedomain);
app->start;


/iaw

Stefan Adams

unread,
Apr 27, 2017, 11:37:21 PM4/27/17
to mojolicious

On Thu, Apr 27, 2017 at 6:21 PM, iaw4 <ivo...@gmail.com> wrote:
I don't know whether this is an M bug or a chrome-localhost bug.  this makes testing more difficult.  the code can now run only in final production mode on the specific server, or I "hand-hook" it.

Again, there are no bugs with Mojolicious, not at this level.  ;)

Try setting $cookiedomain = "www.localhost" and then try your test again browsing to http://www.localhost.  According to the Netscape cookie spec, "Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them"
Reply all
Reply to author
Forward
0 new messages