[mod_python] the domain name in mod_python's session/cookie management

Deron Meranda deron.meranda at gmail.com
Mon Mar 20 17:57:34 EST 2006

On 3/20/06, Kevin Wang <kwang at activegrid.com> wrote:
> Looks like mod_python never sets the domain name in "Set-Cookie" header, but
> both firefox and IE browsers are smart enough to assume that the cookie
> belongs to the host requested.

Actually that's what the standards demand that the browsers do, it's
not just a coincidence.

Set-Cookie is actually somewhat dated and is documented in
RFC 2109 - http://www.ietf.org/rfc/rfc2109.txt
Set-Cookie2 is the current standard as documented in
RFC 2965 - http://www.ietf.org/rfc/rfc2965.txt

However Set-Cookie2, while techinically superior, is not as widely
understood by browsers.  So mod_python sticks with Set-Cookie.

> However, in the case of request coming from an IE frame, it no longer works!
>   I have no idea why it doesn't work in an IE frame.

Hmm. Are you using cross-domain frames or anything complicated?

> To me, the right solution should be that mod_python always sets the domain
> name if one is passed in.

You of course can always dive into lower-level code.  For instance
mod_python's Cookie module does let you get at the domain
attribute, which you can set however you like.  (Not to mention
Python's own Cookie/Morsel classes)
Deron Meranda

More information about the Mod_python mailing list