From 7d34a11c78c0e3c24410523e44b8b7f68e776384 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Fri, 10 Feb 2012 12:46:48 -0700
Subject: [PATCH] vary session cookie name by public_url when public_url is not
browserid.org - this addresses issues which affect testing with IE when
cookies are set for both, diresworb.org and dev.diresworb.org. closes #296.
---
lib/wsapi.js | 13 ++++++++++++-
tests/cookie-session-security-test.js | 2 +-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/lib/wsapi.js b/lib/wsapi.js
index 14e6ec1ea..4bc001d41 100644
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -38,7 +38,18 @@ var abide = i18n.abide({
});
const COOKIE_SECRET = secrets.hydrateSecret('browserid_cookie', config.get('var_path'));
-const COOKIE_KEY = 'browserid_state';
+var COOKIE_KEY = 'browserid_state';
+
+// to support testing of browserid, we'll add a hash fragment to the cookie name for
+// sites other than browserid.org. This is to address a bug in IE, see issue #296
+if (config.get('public_url').indexOf('https://browserid.org') !== 0) {
+ const crypto = require('crypto');
+ var hash = crypto.createHash('md5');
+ hash.update(config.get('public_url'));
+ COOKIE_KEY += "_" + hash.digest('hex').slice(0, 6);
+}
+
+logger.info('session cookie name is: ' + COOKIE_KEY);
function clearAuthenticatedUser(session) {
session.reset(['csrf']);
diff --git a/tests/cookie-session-security-test.js b/tests/cookie-session-security-test.js
index 9ca0f4d10..dd3466090 100755
--- a/tests/cookie-session-security-test.js
+++ b/tests/cookie-session-security-test.js
@@ -52,7 +52,7 @@ suite.addBatch({
wsapi.clearCookies();
// mess up the cookie
- var the_match = first_cookie.match(/browserid_state=([^;]*);/);
+ var the_match = first_cookie.match(/browserid_state(?:_[a-z0-9]+)?=([^;]*);/);
assert.isNotNull(the_match);
var new_cookie_val = the_match[1].substring(0, the_match[1].length - 1);
wsapi.injectCookies({browserid_state: new_cookie_val});
--
GitLab