# HG changeset patch # User Thomas De Schampheleire # Date 2015-03-10 20:00:41 # Node ID 70e29dc91debcabcf6cf69f357ea3c0380c60e6e # Parent 6892b0515af98fd2e4e6db9c535a854e1ba2e0b1 ini file: clarify that beaker.session.key should be unique When several instances of Kallithea are running on the same machine, the same browser cannot be logged into both instances at the same time without conflicts. The login session are saved into the same cookie; logging into one instance closes the session on the second instance and vice-versa. This is caused because the cookie name is simply 'kallithea', combined with the fact that the cookie specification (RFC6265) states that there is no isolation of cookies based on port. This means that the browser sends all cookies from a given domain with all services (Kallithea instances) running on that domain, irrespective of port. The services thus need to handle any such issue themselves, for example by using unique cookie names and only interacting with one's own cookie. Making the key unique when creating the configuration file proved difficult: - it does not seem possible to hook into 'paster make-config' - since Beaker directly interprets the beaker.session.key, changing it on the fly from SessionMiddleware will not work correctly. There is a kallithea-config script that is an alternative to 'paster make-config' which would be the ideal place to make such changes. However, it seems this method is not advocated over 'paster make-config' (yet?). Instead, simply add a comment in the config file and let the user take care of it. diff --git a/development.ini b/development.ini --- a/development.ini +++ b/development.ini @@ -351,6 +351,8 @@ beaker.cache.sql_cache_long.key_length = ## file based cookies (default) ## #beaker.session.type = file +## beaker.session.key should be unique for a given host, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. beaker.session.key = kallithea beaker.session.secret = development-not-secret diff --git a/kallithea/bin/template.ini.mako b/kallithea/bin/template.ini.mako --- a/kallithea/bin/template.ini.mako +++ b/kallithea/bin/template.ini.mako @@ -348,6 +348,10 @@ beaker.cache.sql_cache_long.key_length = <%text>## file based cookies (default) ## #beaker.session.type = file +<%text> +## beaker.session.key should be unique for a given host, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. + beaker.session.key = kallithea beaker.session.secret = ${uuid()} diff --git a/kallithea/config/deployment.ini_tmpl b/kallithea/config/deployment.ini_tmpl --- a/kallithea/config/deployment.ini_tmpl +++ b/kallithea/config/deployment.ini_tmpl @@ -345,6 +345,8 @@ beaker.cache.sql_cache_long.key_length = ## file based cookies (default) ## #beaker.session.type = file +## beaker.session.key should be unique for a given host, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. beaker.session.key = kallithea beaker.session.secret = ${app_instance_uuid} diff --git a/production.ini b/production.ini --- a/production.ini +++ b/production.ini @@ -349,6 +349,8 @@ beaker.cache.sql_cache_long.key_length = ## file based cookies (default) ## #beaker.session.type = file +## beaker.session.key should be unique for a given host, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. beaker.session.key = kallithea beaker.session.secret = change-me diff --git a/test.ini b/test.ini --- a/test.ini +++ b/test.ini @@ -351,6 +351,8 @@ beaker.cache.sql_cache_long.key_length = ## file based cookies (default) ## #beaker.session.type = file +## beaker.session.key should be unique for a given host, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. beaker.session.key = kallithea beaker.session.secret = {74e0cd75-b339-478b-b129-07dd221def1f}