[mod_python] the domain name in mod_python's session/cookiemanagement

Graham Dumpleton grahamd at dscpl.com.au
Mon Mar 20 17:49:41 EST 2006

Kevin Wang wrote ..
> Hi All,
> The reason I am asking this is because I found a problem with mod_python's
> Set-Cookie response.  I am assuming that the standard way for setting a
> cookie in a response is that both the application path and domain name
> are 
> supplied so that the next time, the browser will decide if to use this
> cookie for a certain domain and application path.
> Looks like mod_python never sets the domain name in "Set-Cookie" header,
> but 
> both firefox and IE browsers are smart enough to assume that the cookie
> belongs to the host requested.  So it works for both firefox and IE. 
> However, in the case of request coming from an IE frame, it no longer works!
>   I have no idea why it doesn't work in an IE frame.

Ensure that the frame uses the exact same hostname to request the
resource from the server as the URL which originally issued the cookie.
If for example the cookie was issued by URL mentioning "www.site.com",
but the frame was accessing "site.com", I don't imagine it would work.

> To me, the right solution should be that mod_python always sets the domain
> name if one is passed in.

I don't believe it should be necessary. Should only be required where
you want cross site session cookie within same enclosing domain.
Although as I mentioned, support for this is possibly missing in the
session implementation.


More information about the Mod_python mailing list