Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Hosted backend does not support second-level domains #2735

Closed
spwitt opened this issue May 2, 2024 · 4 comments
Closed

[Bug]: Hosted backend does not support second-level domains #2735

spwitt opened this issue May 2, 2024 · 4 comments
Assignees
@spwitt
Labels
bug Something isn't working
Projects
FusionAuth Issues
Milestone
1.51.0

Comments

@spwitt
Copy link

spwitt commented May 2, 2024
edited

What happened?

Problem

FusionAuth's hosted backend API creates cookies on the broadest domain that is not a top-level domain. This causes issues for second-level domains such as .co.uk as the cookies are defined too broadly.

Solution

Account for the list of public suffixes when deciding the domain for the cookie.

Related

Version

1.49.1

Affects Versions

>= 1.45.0
@spwitt spwitt added the bug Something isn't working label May 2, 2024
@spwitt spwitt added this to the 1.52.0 milestone May 2, 2024
@mooreds
Copy link
Collaborator

mooreds commented May 8, 2024

Suggest using the public suffix list https://publicsuffix.org/list/public_suffix_list.dat which will resolve this issue going forward for more than the co.uk domain.

I don't know how often that file changes, but it's licensed liberally and maintained.

@spwitt
Copy link
Author

spwitt commented May 8, 2024

https://publicsuffix.org/list/

If you wish to make your app download an updated list periodically, please use this URL and have your app download the list no more than once per day. (The list usually changes a few times per week; more frequent downloading is pointless and hammers our servers.)

The public suffix approach resolves this issue but does not resolve the related issue where a registrable domain has multiple FusionAuth deployments hosted on different subdomains or multiple domains that point to the same FusionAuth deployments.

@mooreds
Copy link
Collaborator

mooreds commented May 9, 2024

I agree that it doesn't fix the related issue. But the related issue feels more like an enhancement, so I'd advocate solving it in a backwards compatible manner.

I also think we could take a subset of the public suffix list. We don't need to work with every one. We could take all the ICANN domains, or even just all the domains that have a two letter root domain (like the .ac and .uk ones).

I'd advocate for solving this bug in the right way, and solving #2479 via configuration in a backwards compatible way.

@andrewpai andrewpai modified the milestones: 1.52.0, 1.51.0 May 13, 2024
@spwitt
Copy link
Author

spwitt commented May 20, 2024
edited

Internal

@spwitt spwitt self-assigned this May 20, 2024
@spwitt spwitt added this to Code complete in FusionAuth Issues May 20, 2024
@linear linear bot closed this as completed May 21, 2024
FusionAuth Issues automation moved this from Code complete to Delivered May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spwitt spwitt

Labels
bug Something isn't working
Projects
FusionAuth Issues
  
Delivered
Milestone
1.51.0
Development

No branches or pull requests
3 participants
@mooreds @spwitt @andrewpai