Feature Proposal: Make the login managers cookie (domain) realm configurable.

Motivation

I want to share the cookie among different hosts in my company realm (*.company.com).

Description and Documentation

Add a -domain parameter to the cookie creator in the LoginManager.pm and make the value available as an expert option.

Examples

    my $cookie = CGI::Cookie->new(
        -name     => $Foswiki::LoginManager::Session::NAME,
        -value    => $this->{_cgisession}->id(),
        -path     => '/',
        -domain => $someExpertOption,          # add this
        -httponly => 1
    );

Impact

WhatDoesItAffect:

%WHATDOESITAFFECT%

edit

Implementation

-- Contributors: OliverKrueger - 14 Jan 2010

Discussion

I support this.

Could we also take this opportunity to not hard-code the path to '/'? Debugging a cookie problem I had, came across some sources that suggested against this, Eg. http://research.corsaire.com/whitepapers/040323-cookie-path-best-practice.pdf

If my understanding is correct (it very well might not be), it's possible (shared host/access situation?) a foswiki installation at: http://thehost.com/foocustomer/foswiki

Might be vulnerable to an account holder at http://thehost.com/barcustomer/*

... if the same user visits both sites, the browser could expose their foswiki cookies to barcustomer.

In the above example, if the cookie path was equal to the foswiki root path by default ( '/foocustomer/foswiki' ), the user's browser would not expose foswiki cookies to barcustomer

-- PaulHarvey - 14 Jan 2010

I support this as well. Came across this same capability in the Sympa email list software. It is useful in a SSO configuration where a domain-wide cookie might be set for session purposes.

-- GeorgeClark - 14 Jan 2010

We (www.eberspaecher.com) support this as well, just in case you need some more votes ;-).

-- CedricWeber - 14 Jan 2010

Sounds good to me. Accepted by 14 day rule.

-- CrawfordCurrie - 17 Feb 2010