Bug 34724

Summary: Domain for single sign-on cookie
Product: Tomcat 5 Reporter: Oliver Rossmueller <oros>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: P2    
Version: 5.5.9   
Target Milestone: ---   
Hardware: Other   
OS: other   
Attachments: SSO cookie domain patch
AuthenticatorBase.java patch
SingleSignOn.java patch
mbeans-descriptors.xml patch

Description Oliver Rossmueller 2005-05-03 13:39:17 UTC 
I have the following setup:

- Apache webserver in front of Tomcat 5.5.9
- three 3rd-level domains www.mydomain.xa, search.mydomain.xa, my.mydomain.xa
- Single Sign-On valve in Tomcat is activated
- Login is handled by my.mydomain.xa and it's corresponding webapp under context /My

The problem with the SSO cookie created by Tomcat after successful login is that
the domain name stored with the cookie is my.mydomain.xa. Therefore the SSO
cookie is not sent by the user agent if a request goes to www.mydomain.xa or
search.mydomain.xa and single-sign on is not working for these subdomains.

So I need a way to tell tomcat to set '.mydomain.xa' as the domain of the SSO
cookie so it will the sent by the user agent for all subdomains. Therefore I
introduced the system property 'tomcat.sso.cookie.domain' and added a few lines
to AuthenticatorBase.java where the value of named system property is used - if
available - to set the SSO cookie's domain (see attached patch). The system
property can be set in the startup script for example.
Comment 1 Oliver Rossmueller 2005-05-03 13:40:28 UTC 
Created attachment 14918 [details]
SSO cookie domain patch
Comment 2 Remy Maucherat 2005-05-03 14:12:08 UTC 
It's a good use case, but it's not the right way to do it. You should add an
optional attribute on the SSO valve instead.
Comment 3 Oliver Rossmueller 2005-05-09 16:19:31 UTC 
Created attachment 14971 [details]
AuthenticatorBase.java patch
Comment 4 Oliver Rossmueller 2005-05-09 16:19:56 UTC 
Created attachment 14972 [details]
SingleSignOn.java patch
Comment 5 Oliver Rossmueller 2005-05-09 16:20:28 UTC 
Created attachment 14973 [details]
mbeans-descriptors.xml patch
Comment 6 Oliver Rossmueller 2005-05-09 16:24:16 UTC 
I aggree that an optional attribute on the SingleSingOn valve is the more
elegant way to specify a domain name for the sso cookie. I modified the
implementation in the suggested way (see the three new patches attachted) so the
cookie domain can be set on the valve like

<Valve className="org.apache.catalina.authenticator.SingleSignOn"
cookieDomain=".mydomain.xa"/>
Comment 7 Yoav Shapira 2005-10-17 00:21:28 UTC 
I've committed the patch into HEAD, it'll be in 5.5.13.  Thank you for
contributing it!