[okfn-labs] Cookie-Auth for API requests
Gregor Aisch
gregor.aisch at okfn.org
Sun Aug 5 19:03:41 UTC 2012
Problem 1: cookies are per default only accessible from the exact domain from which they were created, say "pybossa.com". However with a bit of hacking it is possible to allow subdomains to access the cookie to, by explicitly setting the cookie domain to ".pybossa.com". I managed to do this by overriding save_session, as shown here:
http://librelist.com/browser//flask/2010/11/28/session-cookie-and-subdomain/#9dbf4e291401e4a664bc8851dddf8c15
Problem 2: AJAX calls only send Cookies if the url you're calling is on the same domain as your calling script. That means that although the application on apps.pybossa.com can read the cookies, it won't send them back when making POST requests to pybossa.com.
http://stackoverflow.com/a/5422323/1532965
So, I think we need a smarter way of providing authentication for external PyBossa apps.
Will create a ticket now..
–Gregor
Am 03.08.2012 um 16:02 schrieb Rufus Pollock:
> On 2 August 2012 12:58, Gregor Aisch <gregor.aisch at okfn.org> wrote:
>>
>> Btw, the one thing that I couldn't get working currently is authentication.
>> Even though I put my pybossa-apps instance inside a sub-domain of the
>> pybossa instance, PyBossa ignores the cookie and treats the taks runs as if
>> there were submitted by an anonymous user.
>
> Not quite sure of context here. Do you have an issue filed for this?
> Obviously this does seem to be working on the main pybossa.com (at
> least it was when I last checked ...). For the cookie identification I
> thought we were using standard Flask components and nothing very
> custom ...
>
> Rufus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/okfn-labs/attachments/20120805/33b8074c/attachment-0002.html>
More information about the okfn-labs
mailing list