Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session cookie seems to ignore server's port, which causes issues when a user opens multiple applications from the same host in the same browser #42

Closed
Bl4cksunLtd opened this issue Feb 27, 2018 · 6 comments
Closed

Session cookie seems to ignore server's port, which causes issues when a user opens multiple applications from the same host in the same browser #42

Bl4cksunLtd opened this issue Feb 27, 2018 · 6 comments
Labels
enhancement

Comments

@Bl4cksunLtd
Copy link
Contributor

I have two applications running on a backend server. They open their gowut servers on different ports (same IP/hostname). I open a browser and connect to the first app and authenticate, everything is ok. Starting a second browser instance/tab and authenticating to the second application stops the first browser session from working. There are no errors, and re-authenticating fixes it but breaks the other session.
However if I use a different browser to connect to the second application, everything works as expected and both applications work as intended.
@icza
Copy link
Owner

icza commented Feb 27, 2018
edited
Loading

This is the expected working, because from the cookie specification (RFC 6265, which replaces RFC 2109 and RFC 2965):

Similarly, cookies for a given host are shared across all the ports on that host, even though the usual "same-origin policy" used by web browsers isolates content retrieved via different ports.

Gowut sets cookies as app URL specific. So if you use different app name in your different Gowut servers, it should work.

Using the same app URL, it could only work if the Gowut servers would use different cookie names for storing the Gwout session ID. Currently this is not supported. Do you feel a need for it?

@Bl4cksunLtd
Copy link
Contributor Author

Bl4cksunLtd commented Feb 27, 2018
edited
Loading

Ah ok, I'd used "" as the app name for both applications as I wanted them both off the root e.g. host:port/
For my application, it only affects a small number of people who need access to both apps on the same host, so for them (most are split onto different hosts), they can use two different browsers for now.

@icza
Copy link
Owner

icza commented Feb 27, 2018

I could add support so that you could specify at the gwu.Server what cookie name to use to store the session ID. Then you could use different cookie names for your 2 servers, and so they wouldn't collide.

@Bl4cksunLtd
Copy link
Contributor Author

That would be perfect for me and may be of use to others. Thanks

@icza icza reopened this Feb 27, 2018
@icza
Copy link
Owner

icza commented Feb 28, 2018

Done. Added Server.SessIDCookieName() and SetSessIDCookieName() methods, see commit 8140e5a

Available on the dev branch.

@icza
Copy link
Owner

icza commented Feb 28, 2018

Will go live with the v1.4.0 public version, you may use the dev branch meanwhile if you want to.

@icza icza closed this as completed Feb 28, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@icza @Bl4cksunLtd