[Zope] redirect between domains & maintain login

Declan Shanaghy declan at shanaghy.com
Thu Dec 23 14:47:03 EST 2004


I have set up a portal of shopping sites.
Each merchant we support has their own domain set up.

e.g.

http://www.some-merchant.com

Seeing as they are shopping sites certain pages have
to be handled by SSL.

Due to SSL limitations only 1 SSL domain +certificate
can exist per ip, and we only have 1 ip.  Therefore my
solution is that for non SSL pages the merchant can
use their own unique domain name, but all SSL pages
will be redirected to 

https://merchantname.portal.com and an SSL certificate
is setup with a CN of *.portal.com

A problem arises when switching between domains like
this.  The login cookie is lost.  Curently i do a
redirect between domains and include __ac_name and
__ac_password arguments in the URL so the user stays
logged in, but this causes the username and password
to be displayed in the address bar in plain text.

I'd like to secure this more.

Is there any way that i could

A - Encrypt __ac_name and __ac_password values?

or

B - Set the cookie for both domains so name and
password dont have to be transferred?



Hope someone has some idea!
Thanks,
Dek


More information about the Zope mailing list