Closed spwitt closed 1 month ago
mooreds
commented
1 month ago Suggest using the public suffix list https://publicsuffix.org/list/public_suffix_list.dat which will resolve this issue going forward for more than the co.uk domain.
I don't know how often that file changes, but it's licensed liberally and maintained.
spwitt
commented
1 month ago https://publicsuffix.org/list/
If you wish to make your app download an updated list periodically, please use this URL and have your app download the list no more than once per day. (The list usually changes a few times per week; more frequent downloading is pointless and hammers our servers.)
The public suffix approach resolves this issue but does not resolve the related issue where a registrable domain has multiple FusionAuth deployments hosted on different subdomains or multiple domains that point to the same FusionAuth deployments.
mooreds
commented
1 month ago I agree that it doesn't fix the related issue. But the related issue feels more like an enhancement, so I'd advocate solving it in a backwards compatible manner.
I also think we could take a subset of the public suffix list. We don't need to work with every one. We could take all the ICANN domains, or even just all the domains that have a two letter root domain (like the .ac and .uk ones).
I'd advocate for solving this bug in the right way, and solving https://github.com/FusionAuth/fusionauth-issues/issues/2479 via configuration in a backwards compatible way.
spwitt
commented
1 month ago
What happened?
Problem
FusionAuth's hosted backend API creates cookies on the broadest domain that is not a top-level domain. This causes issues for second-level domains such as
.co.ukas the cookies are defined too broadly.Solution
Account for the list of public suffixes when deciding the domain for the cookie.
Related
Version
1.49.1
Affects Versions
>= 1.45.0