You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Each works fine if I clear all cookies in both domains before I log in. But logging in to the 2nd level domain seems to mess up logging in to the 3rd level domain. I get caught in a loop where .login() keeps returning an object with a .error either "Unable to retrieve stored state!" or "The returned state csrf cookie ... doesn't match with the stored state!"
Is there a way I can limit the scope of cookies to the root domain, and not let them be used by the subdomain?
The text was updated successfully, but these errors were encountered:
I've just been having a look at the spec for setting cookies, which seems to be in RFC2109. It looks like the default position is that cookies are shared, unless the Set-Cookie header has Domain set (which is not the default in authomatic). However if you set it to e.g. example.com then it is valid for all subdomains as well, so the only wayDomain can be useful is if you have 2 'sibling sites' to separate, e.g. www.example.com and foo.example.com
I have a pair of sites that both use authomatic with Flask-login for google OAuth2,
https://unslumping.org/
https://fun.unslumping.org/
Each works fine if I clear all cookies in both domains before I log in. But logging in to the 2nd level domain seems to mess up logging in to the 3rd level domain. I get caught in a loop where
.login()
keeps returning an object with a.error
either "Unable to retrieve stored state!" or "The returned state csrf cookie ... doesn't match with the stored state!"Is there a way I can limit the scope of cookies to the root domain, and not let them be used by the subdomain?
The text was updated successfully, but these errors were encountered: