Persistent Cookies cross app contamination.

2008-11-21T16:39:31Z

Hi All...

I see an issue with the current way persistent cookies are created.

First, since there is no option to use the strict sub domain name for the cookie domain, the cookies are made available to a wide set of applications.

We run php and other liferay instances in the same domain, (phpapp1.mydomain.com, phpapp2.mdomain.com, liferay-stage.mydomain.com liferay-live.mydomain.com) and by visiting any of the liferay instances a set of cookies are made available to all applications...

LEP-5994 seems to fix the issue of wrong company Id things... But what if the company id does match accross the liferay sites but you don't really intend to authenticate users accross?

Further more, the cookie names are really very generic. COMPANY_ID and ID for example are possibly used as well in other applications...

In PHP, $_REQUEST will give you the cookie values as well... Some of the apps we run look for ID in the $_REQUEST and needless to say, they are getting the unexpected value liferay sets on ID... Bad php apps... bad app...

In my opinion, there should be, if possible, an option to force the persistent cookies to use the same domain used for example for COOKIE_SUPPORT, the full server subdomain being accessed.

I imaging there could be a reason to share these cookies accross sub domains, but I think there could be a configurable property in portal.properties to use the strict subdomain.

Second, it may be a good idea to be able to prefix the cookie names with some configurable value so that the names are not so generic and can be shared, but minimize the risk of collisions...

I would love to hear from LR about this, and definitely willing to contribute the change if it makes sense and doesn't pose dangers I'm not thinking about...

Thanks!