vary session cookie name by public_url when public_url is not browserid.org -...

vary session cookie name by public_url when public_url is not browserid.org - this addresses issues which affect testing with IE when cookies are set for both, diresworb.org and dev.diresworb.org.  closes #296.

lib/wsapi.js

@@ -38,7 +38,18 @@ var abide = i18n.abide({
 });
 
 const COOKIE_SECRET = secrets.hydrateSecret('browserid_cookie', config.get('var_path'));
-const COOKIE_KEY = 'browserid_state';
+var COOKIE_KEY = 'browserid_state';
+
+// to support testing of browserid, we'll add a hash fragment to the cookie name for
+// sites other than browserid.org.  This is to address a bug in IE, see issue #296
+if (config.get('public_url').indexOf('https://browserid.org') !== 0) {
+  const crypto = require('crypto');
+  var hash = crypto.createHash('md5');
+  hash.update(config.get('public_url'));
+  COOKIE_KEY += "_" + hash.digest('hex').slice(0, 6);
+}
+
+logger.info('session cookie name is: ' + COOKIE_KEY);
 
 function clearAuthenticatedUser(session) {
   session.reset(['csrf']);

tests/cookie-session-security-test.js

@@ -52,7 +52,7 @@ suite.addBatch({
           wsapi.clearCookies();
 
           // mess up the cookie
-          var the_match = first_cookie.match(/browserid_state=([^;]*);/);
+          var the_match = first_cookie.match(/browserid_state(?:_[a-z0-9]+)?=([^;]*);/);
           assert.isNotNull(the_match);
           var new_cookie_val = the_match[1].substring(0, the_match[1].length - 1);
           wsapi.injectCookies({browserid_state: new_cookie_val});