Set cookie for parent domain #237
Description
@jwb and @osteele discussed using the cookie-based authentication documented here for single-sign-on across olin.build subdomains.
For this to work, something like this would be necessary:
In abe/auth/__init__.py, modify:
response.set_cookie('app_secret', shared_secret)
to:
response.set_cookie('name', 'value', domain=os.environ.get('AUTH_COOKIE_DOMAIN', None))
Document AUTH_COOKIE_DOMAIN as appropriate.
Set AUTH_COOKIE_DOMAIN to olin.build in production (but, probably not, dev).
Questions:
Does response.set_cookie accept domain=None, or does it need a different value in order suppress the domain?
Will this break clients that aren't served from *.olin.build domain? Maybe the domain should only be set if the referrer is a subdomain.