Identity framework: Session cookie not sent

1 view
Skip to first unread message

Keir Mierle

unread,
Jan 4, 2006, 3:31:16 AM1/4/06
to TurboGears
I integrated the identity framework into my app, but it appears the
session cookie is never sent.

Here's what happens: I have a /save page which @requires not_anonymous.
The user tries to visit /save, they are redirected to /login with extra
parameters stored in the login form. If the user types in a valid l/p,
then the content is correctly saved and everything is good. Except that
there is no identity cookie sent, so there is no lasting record of the
session. Oddly enough, there is a secret_token in my database
corresponding to the user who logged in; however it is not sent.

Note that I have duplicated the relevant fields from somodel.py and
specified the following in my dev.cfg:
identity.on=True
identity.failure_url="/login"
identity.soprovider.model="myproject.model"
identity.soprovider.model.user="User"
identity.soprovider.model.group="Role"
identity.soprovider.model.permission="Permission"
identity.soprovider.model.secret_token="SecretToken"
identity.session.cookie.host="localhost"

This is with SVN 441. Any help is appreciated.

Keir

Jeff Watkins

unread,
Jan 4, 2006, 8:30:57 AM1/4/06
to turbo...@googlegroups.com
Weird. I'm able to reproduce this with the sample app I've been using to test the Identity framework. I'll look into it a bit more and let you know what I find.

-- 

Jeff Watkins

http://newburyportion.com/


Computers, they're just a fad.

Jeff Watkins

unread,
Jan 4, 2006, 8:58:19 AM1/4/06
to turbo...@googlegroups.com
According to section 4.2.2 of RFC 2109 (the Cookie spec) a domain
MUST begin with a period. If you are using Safari, you can explicitly
specify "localhost.local" and it will work. However, I've not found
any combination that works for Firefox.

The primary purpose of the cookie host is to specify a broader domain
for the cookie rather than the originating server. So specifying
localhost is not really necessary (that would be the default if you
access http://localhost:8080/).

I suppose I should rename identity.session.cookie.host to
identity.session.cookie.domain to be more clear.

On 4 Jan, 2006, at 3:31 am, Keir Mierle wrote:

--
Jeff Watkins
http://newburyportion.com/

'I know about people who talk about suffering for the common good.
It's never bloody them! When you hear a man shouting "Forward, brave
comrades!" you'll see he's the one behind the bloody big rock and the
one wearing the only really arrow-proof helmet!'
-- Rincewind gives a speech on politics. (Terry Pratchett,
Interesting Times)


Lee McFadden

unread,
Jan 4, 2006, 9:05:49 AM1/4/06
to turbo...@googlegroups.com
Does it have to be a domain? What happens if you just want to run
your site, internally, on an ip address with no domain associated with
it? Will the ip then be substituted?

Lee

Jeff Watkins

unread,
Jan 4, 2006, 9:28:40 AM1/4/06
to turbo...@googlegroups.com
I've no idea. Whatever Python's SimpleCookie does is what you get. The RFC doesn't specify what happens with IP addresses.

On 4 Jan, 2006, at 9:05 am, Lee McFadden wrote:

Does it have to be a domain?  What happens if you just want to run

your site, internally, on an ip address with no domain associated with

it?  Will the ip then be substituted?


Reply all
Reply to author
Forward
0 new messages