"Namespace" cookie names to support subdomains. [#1369660]

I'd like to namespace the shared cookies in a standard way (based on the cookie domain), to prevent getting cookies that can't be deleted on a sub-sub domain.

For example, we have environments like *.example.com, *.a.dev.example.com, *.demo.example.com, *.stage.example.com. Cookies from *.example.com have been encrypted with a different key, so at least they are invalid in these environments, but the subsites can't actually overwrite/delete the cookie from *.example.com, so if you have a cookie from there, you can't login.

I could be wrong on this, here's a stackoverflow q with answers seeming to agree though - http://stackoverflow.com/questions/3923285/how-to-remove-main-domain-coo....

The only solution I could come up with is to namespace the cookies with the cookie domain, e.g. EXAMPLE_COM_CHOCOLATECHIP.

Thoughts?

Comment	File	Size	Author
#19	bakery-namespace-cookies-1369660-19-D6.patch	4.27 KB	coltrane
#19	bakery-namespace-cookies-1369660-19-D7.patch	4.29 KB	coltrane
#13	bakery-namespace-cookies-1369660-13-D6.patch	4.03 KB	BarisW
#13	bakery-namespace-cookies-1369660-13-D7.patch	3.99 KB	BarisW
#12	bakery-namespace-cookies-1369660-12-D7.patch	3.97 KB	coltrane
#12	bakery-namespace-cookies-1369660-12-D6.patch	4.02 KB	coltrane
#8	bakery-namespace-cookies-1369660-8-D7.patch	4.04 KB	bcmiller0
#4	bakery-namespace-cookies-1369660-4-D7.patch	4.16 KB	glennpratt
#3	bakery-namespace-cookies-1369660-3-D6.patch	3.94 KB	glennpratt
#2	bakery-namespace-cookies-1369660-2-D6.patch	4.88 KB	glennpratt

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

glennpratt CreditAttribution: glennpratt commented 13 December 2011 at 18:59

My other thought is to restructure bakery to not care if a cookie from another domain is set, overwrite it if it needs one, ignore it if it doesn't.

In testing though, I can't seem to make that work, the cookie from the parent domain appears to win.

Comment #2

glennpratt CreditAttribution: glennpratt commented 13 December 2011 at 22:30

File	Size
bakery-namespace-cookies-1369660-2-D6.patch	4.88 KB

It seems parent domain cookies override sub domain cookies no matter what I do, so I went with namespace as the original proposal. Basically:

$type . md5($cookie_domain);

Resulting in:

CHOCOLATECHIP10b8124b78109b738f753a7c9962b1ae

D6 patch, D7 to follow.

Comment #3

glennpratt CreditAttribution: glennpratt commented 13 December 2011 at 22:36

Version:

7.x-2.x-dev

» 6.x-2.x-dev

File	Size
bakery-namespace-cookies-1369660-3-D6.patch	3.94 KB

Sorry, included another patch. Still rolling the 7.x patch.

Comment #4

glennpratt CreditAttribution: glennpratt commented 13 December 2011 at 23:13

Version:

6.x-2.x-dev

» 7.x-2.x-dev

File	Size
bakery-namespace-cookies-1369660-4-D7.patch	4.16 KB

7.x patch.

These patches also have add some DRY-ness to the SSL cookie patch.

Comment #5

glennpratt CreditAttribution: glennpratt commented 13 December 2011 at 23:14

Category:	task	» bug
Status:	Active	» Needs review

I'm changing this to a bug, I'm sure it's not major, but it's pretty frustrating for our use case. Basically we can only have one Bakery environment on our domain without it (no demo, no dev-stage, etc).

Comment #6

coltrane

he/him

CreditAttribution: coltrane commented 21 January 2012 at 20:25

Category:

bug

» feature

I understand it's pretty frustrating, but it's a feature request to handle your specific use case. I haven't reviewed the patch yet, will think on this more. I understand you want to support your work flow but I hesitate in all cases of increasing the complexity of the code base.

Comment #7

glennpratt CreditAttribution: glennpratt commented 23 January 2012 at 14:05

I hear you, though I really think the complexity is minimal, considering the SSL patch that is already in. Here is the cookie name function from the patch:

 /**
<?php
/**
 * Generate the name for a bakery cookie, this prevents domain
 * mismatch on subdomains that are not part of a parent domains bakery config.
 *
 * @param string $type
 *   CHOCOLATECHIP or OATMEAL, default CHOCOLATECHIP
 * @return string
 *   The namespaced cookie name for this environment.
 */
function _bakery_cookie_name($type = 'CHOCOLATECHIP') {
  // Use different names for HTTPS and HTTP to prevent a cookie collision.
  if (ini_get('session.cookie_secure')) {
    $type .= 'SSL';
  }
  // Namespace the cookie by the cookie domain.  Use md5 to avoid using any
  // reserved cookie terms (all of which contain non-hex characters):
  //   "expires", "domain", "path", and "secure".
  $name = $type . md5(variable_get('bakery_domain', ''));
  return $name;
}
?>

Comment #8

bcmiller0 CreditAttribution: bcmiller0 commented 7 May 2012 at 21:06

Version:

7.x-2.x-dev

» 7.x-2.0-alpha3

File	Size
bakery-namespace-cookies-1369660-8-D7.patch	4.04 KB

re-rolled against alpha3 tag, and also adding some missing cookie_secure's.

Comment #9

drumm

he/him

NY, US

CreditAttribution: drumm commented 26 September 2012 at 02:30

I like this patch, it will make #1795118: Better support for mixed SSL environments a smaller patch. I haven't had a chance to test it, but I can confirm it applies nicely and looks okay.

Comment #10

glennpratt CreditAttribution: glennpratt commented 16 October 2012 at 20:53

I would love to see this patch go in or get some feedback - it's hard to roll other patches around it.

If the namespace is a show stopper, then maybe we can settle on using a function to name cookies and not smattering code everywhere that does it... that will make the namespace patch much smaller.

Comment #11

coltrane

he/him

CreditAttribution: coltrane commented 16 October 2012 at 21:35

Note, for others to help with testing there's a VM with cucumber tests https://github.com/bjeavons/Bakery-Chef

(/me needs to document using it)

Comment #12

coltrane

he/him

CreditAttribution: coltrane commented 24 January 2013 at 00:04

File	Size
bakery-namespace-cookies-1369660-12-D6.patch	4.02 KB
bakery-namespace-cookies-1369660-12-D7.patch	3.97 KB

Rerolled for D7 and D6.

Comment #13

BarisW CreditAttribution: BarisW commented 29 January 2013 at 14:11

File	Size
bakery-namespace-cookies-1369660-13-D7.patch	3.99 KB
bakery-namespace-cookies-1369660-13-D6.patch	4.03 KB

Hi coltrane,

thanks for the patches. I've spend days debugging to get Bakery get past Varnish and it seemed that Varnish strips out cookies that don't start with a specific name. See http://help.getpantheon.com/pantheon/topics/_cookie_cookiename_works_on_...

By adding SESS in front of the cookie name (and by making sure the cookiename is lowercase), Varnish lets the cookie pass.

Comment #14

glennpratt CreditAttribution: glennpratt commented 29 January 2013 at 14:14

@BarisW - You probably have something in your VCL that is looking for SESS. Just add something similar to allow CHOCOLATECHIP.

If you need help, post your VCL somewhere and ping me in IRC.

Comment #15

coltrane

he/him

CreditAttribution: coltrane commented 29 January 2013 at 18:15

Yes, you should change your Varnish configuration to let the Bakery cookies pass. It would be incorrect to prefix Bakery cookies with "SESS".

Comment #16

BarisW CreditAttribution: BarisW commented 29 January 2013 at 18:40

Not everyone is able to configure their Varnish configuration. For example; at Pantheon I can submit a request to get it added, but I cannot do it myself.

What if we introduce a variable to do this? Or better, make it pluggable?

By changing this:

<?php
$name = $type . md5(variable_get('bakery_domain', ''));
return 'SESS' . strtolower($type);
?>

Into:

<?php
$name = $type . md5(variable_get('bakery_domain', ''));
return drupal_alter('bakery_cookie_name', $name);
?>

So I can just implement:

<?php
function MYMODULE_bakery_cookie_name(&$name) {
  return 'SESS' . strtolower($name);
}
?>

Comment #17

coltrane

he/him

CreditAttribution: coltrane commented 29 January 2013 at 20:36

That would be, ok. In fact this whole hashing addition to the cookie name could be implemented by a custom module for the use-case that Glenn has. Would that be ok with you Glenn?