Mercurial > kallithea
changeset 4916:70e29dc91deb
ini file: clarify that beaker.session.key should be unique
When several instances of Kallithea are running on the same machine, the
same browser cannot be logged into both instances at the same time without
conflicts. The login session are saved into the same cookie; logging into
one instance closes the session on the second instance and vice-versa.
This is caused because the cookie name is simply 'kallithea', combined with
the fact that the cookie specification (RFC6265) states that there is no
isolation of cookies based on port. This means that the browser sends all
cookies from a given domain with all services (Kallithea instances) running
on that domain, irrespective of port.
The services thus need to handle any such issue themselves, for example by
using unique cookie names and only interacting with one's own cookie.
Making the key unique when creating the configuration file proved difficult:
- it does not seem possible to hook into 'paster make-config'
- since Beaker directly interprets the beaker.session.key, changing it on
the fly from SessionMiddleware will not work correctly.
There is a kallithea-config script that is an alternative to 'paster
make-config' which would be the ideal place to make such changes. However,
it seems this method is not advocated over 'paster make-config' (yet?).
Instead, simply add a comment in the config file and let the user take care
of it.
author | Thomas De Schampheleire <thomas.de.schampheleire@gmail.com> |
---|---|
date | Tue, 10 Mar 2015 20:00:41 +0100 |
parents | 6892b0515af9 |
children | 0bc8975f5365 |
files | development.ini kallithea/bin/template.ini.mako kallithea/config/deployment.ini_tmpl production.ini test.ini |
diffstat | 5 files changed, 12 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/development.ini Thu Mar 12 09:44:48 2015 +0100 +++ b/development.ini Tue Mar 10 20:00:41 2015 +0100 @@ -351,6 +351,8 @@ ## file based cookies (default) ## #beaker.session.type = file +## beaker.session.key should be unique for a given host, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. beaker.session.key = kallithea beaker.session.secret = development-not-secret
--- a/kallithea/bin/template.ini.mako Thu Mar 12 09:44:48 2015 +0100 +++ b/kallithea/bin/template.ini.mako Tue Mar 10 20:00:41 2015 +0100 @@ -348,6 +348,10 @@ <%text>## file based cookies (default) ##</%text> #beaker.session.type = file +<%text> +## beaker.session.key should be unique for a given host, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. +</%text> beaker.session.key = kallithea beaker.session.secret = ${uuid()}
--- a/kallithea/config/deployment.ini_tmpl Thu Mar 12 09:44:48 2015 +0100 +++ b/kallithea/config/deployment.ini_tmpl Tue Mar 10 20:00:41 2015 +0100 @@ -345,6 +345,8 @@ ## file based cookies (default) ## #beaker.session.type = file +## beaker.session.key should be unique for a given host, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. beaker.session.key = kallithea beaker.session.secret = ${app_instance_uuid}
--- a/production.ini Thu Mar 12 09:44:48 2015 +0100 +++ b/production.ini Tue Mar 10 20:00:41 2015 +0100 @@ -349,6 +349,8 @@ ## file based cookies (default) ## #beaker.session.type = file +## beaker.session.key should be unique for a given host, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. beaker.session.key = kallithea beaker.session.secret = change-me
--- a/test.ini Thu Mar 12 09:44:48 2015 +0100 +++ b/test.ini Tue Mar 10 20:00:41 2015 +0100 @@ -351,6 +351,8 @@ ## file based cookies (default) ## #beaker.session.type = file +## beaker.session.key should be unique for a given host, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. beaker.session.key = kallithea beaker.session.secret = {74e0cd75-b339-478b-b129-07dd221def1f}