Hi all! I have a feature request to make for Pritunl zero.
As of now, every service i authenticate against creates a new Cookie. I’d appreciate manually setting the domain field of the cookie in order to make sessions transferable between subdomains.
The Cookie domain needs to begin with “.” so i.e. “.example.com” in order follow rfc6265 Chapter 5.1.3 Domain Matching.
I was able to reproduce this by manually manipulating the cookie domain and prefixing the needed “.”. You can successfully transfer the zero-trust session between services.
This would make everything a lot easier since the user is allowed to authenticate once at the root-domain and then open any successing site without authenticating again.
In this specific use-case, the root domain contains a Launchpad, following services are a subdomain.
Do you think you can implement this, or make it configurable from the ui?
This should already happen and there is an option labeled Share session with subdomains in the service settings. The code is in pritunl-zero/cookie/utils.go. It only goes up one domain level, so service.test.pritunl.com would become .test.pritunl.com and service.pritunl.com would become .pritunl.com.
I have added the option sudo pritunl-zero set router root_domain_cookie true to support using the root domain for the cookie to share the session over all subdomains.
Hi Zach, thanks for the reply and the code change!
Maybe I’m missing something or I have a heavily misconfigured Instance.
Your first response said (and i could also verify this by looking at your code), that with the “share with subdomain” function, the session-cookie already should be prefixed with “.” and move to it’s parent?
i.e. if I access xy.example.com, the cookie should be “.example.com” even without your current change?
If so, this is not working for me as of now. Is there any other configuration conflicting with those options (policies or something)? Or has having the cookie point to the root-domain been generally disallowed by your current implementation?
Either way, thanks for your implementation. Appreciate it.