Skip to content

New special values for "domain" parameter

Maxime Besson requested to merge fix-cookiedomain-3040 into v2.0

This MR is preliminary work for #3040 (closed)

it introduces new options for "domain":

  • empty string: means cookies are only valid for the portal itself. This might be used in some extremely specific situations (SAML/OIDC/CAS only + no manager)
  • #PORTAL#: use the same domain as the portal such as auth.example.com including subdomains
  • #PORTALDOMAIN#: use the parent domain of the portal, such as example.com

Once #3040 (closed) is complete, this work will allow the cookie domain to be completely derived from $req

We could even already make #PORTALDOMAIN# the default in new installs ? This way users will only have to change the "portal" variable in most situations.

Merge request reports