You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I recently found that Cookies mod_auth_mellon produces always have domain attribute, regardless of specifying MellonCookieDomain or not.
While I was setting up my new server as SP, I faced a problem where redirect loop occurred after login. The cause was that the browser had a Cookie with same name with different domain, e.g. example.org here, and my new server was like myapp.example.org, so mod_auth_mellon couldn't receive the correct Cookie. I solved it with setting MellonVariable so that the name of Cookie didn't collide.
Now, I think it would be nicer if mod_auth_mellon could produce HostOnly Cookies. Right now, Cookies from example.org are also sent to myapp.example.org. This could be a security problem. How about making this configurable by new directive MellonCookieHostOnly On? If this setting is done, MellonCookieDomain will be ignored.
The text was updated successfully, but these errors were encountered:
Hi, I recently found that Cookies mod_auth_mellon produces always have domain attribute, regardless of specifying MellonCookieDomain or not.
While I was setting up my new server as SP, I faced a problem where redirect loop occurred after login. The cause was that the browser had a Cookie with same name with different domain, e.g. example.org here, and my new server was like myapp.example.org, so mod_auth_mellon couldn't receive the correct Cookie. I solved it with setting MellonVariable so that the name of Cookie didn't collide.
Now, I think it would be nicer if mod_auth_mellon could produce HostOnly Cookies. Right now, Cookies from example.org are also sent to myapp.example.org. This could be a security problem. How about making this configurable by new directive MellonCookieHostOnly On? If this setting is done, MellonCookieDomain will be ignored.
The text was updated successfully, but these errors were encountered: