[TYPO3-dev] Is config key 'cookieDomain' worth a patch?

[Xavier Perseguers]

Hi Marcus,

>> Xavier Perseguers wrote:
>>> ==== WHAT I SUGGEST ====
>>>
>>> 1) Either create a second cookieDomain parameter to be used for FE 
>>> (or BE)
>>> 2) Better would be to add this configuration property to the domain
>>> record itself. This way it would fall back to current behaviour if not
>>> configured but would allow me to handle even more complex scenario.
>>>
>>>
>>> What is your point of view? TYPO3 4.3 is not yet out and thus it would
>>> still be time to do this.
>>
>> My suggestion for typo3conf/localconf.php in such cases:
>>
>> if (TYPO3_MODE == 'BE') {
>>     $TYPO3_CONF_VARS['SYS']['cookieDomain'] = $_SERVER['HTTP_HOST'];
>> }
>> else {
>>     $TYPO3_CONF_VARS['SYS']['cookieDomain'] = '.domain.tld';
>> }
> 
> In this case you should know what you are doing. By that, in regards to 
> security, you are exposing Session IDs to all subdomains. This fine if 
> you are the owner of _all_ subdomains and can ensure that there is and 
> won't be no malicious code on those subdomains.

Thanks for your feedback. Yes I see the point. As in this very case I am 
in charge of the DNS itself and the server that hosts the vhosts, this 
is just fine. For the malicious code it's OK in my situation.

-- 
Xavier Perseguers
http://xavier.perseguers.ch/en

One contribution a day keeps the fork away