Incorrect cookie being sent when mapping domains into apps (possible bug?)

[Lisandro]

Hi there! I've run into this situation that looks like a bug. 

I've found the problem when trying to make two apps share the sessions (storing sessions in files or in database). But the problem only happens when I use parametter-based router in order to exclusively map domains to apps. 

I've been able to reproduce it from scratch using web2py last stable version (2.16.1). Here are the steps I follow to reproduce the problem:

1) Download and unzip web2py

2) From the admin app, create two new apps: test and test_panel

3) As we need the two apps to use the same database, delete applications/test_panel/models/db.py and replace it by a symlink pointing to applications/test/models/db.py

4) In models/db.py add this line right after instantiating DAL, in order to connect to the session:

session.connect(request, response, cookie_key='mycookiekey', masterapp='test')

Notice the "masterapp" argument is pointing to the "test". 

Remember both apps use the same model (symlinked). 

5) The login/register/logout will be done in "test" app. For the sake of this example, we won't make anymore changes to the apps (we would have to delete the login/register/logout functions at test_panel app, as the login will be done only in test app, but it's not necessary for this example). Notice the only change we did is "session.connect" in the model, nothing more.

Up to here, it works like a charm. I can login in test app, and then I go to test_panel app and I can see that I'm logged in.

If I inspect the request cookies when accessing test_panel app, I can see there are a couple of cookies sent:

session_id_test

session_data_test

session_id_test_panel

session_id_admin

The important part here is that the "session_data_test" cookie is sent, that is, the cookie that was written when I logged in at test app.

So, everything works ok here. Both apps are sharing cookie sessions.

However, the problem appears if we want to access test app in the main domain and test_app in a subdomain.

Here is the steps to reproduce the problem:

6) Create a routes.py file at the web2py root folder, and put this content:

# -*- coding: utf-8 -*-

routers = dict(
  BASE=dict(
    default_controller='default',
    default_function='index',
    domains={
        'test.com':'test',
        'panel.test.com': 'test_panel'
    },
    exclusive_domain=True,
  )
)

7) Edit the /etc/hosts file and add both domains as localhost: test.com and panel.test.com. This way, each app can be accessed only through the specified domain.

This is where the problem appears. Apps no longer share sessions. 

I login at test.com (remember to use the 8000 port or whatever port you used to start web2py's embedded server).

Then I go to panel.test.com, inspect the request cookies and I see this cookies are being sent:

session_id_test

session_id_test_panel

Notice there is no "session_data_test" cookie being sent, that's why I'm not logged in when I go to panel.test.com.

This problem is the same when the sessions are stored in database. In order to make that test, just replace session.connect with this:

session.connect(request, response, db=db, masterapp='test')

The problem is the same. Sessions are correctly shared, but in the moment you configure routes.py to map each app to a specific domain, cookies aren't shared anymore.

Is this the expected behaviour or could it be a bug?

Thanks in advance.

Regards,

Lisandro