While logged into AMO, the disco pane (https://services.addons.mozilla.org/en-US/firefox/discovery/3.7pre/Darwin) doesn't show me as logged in. This worked on preview, so guessing there's a problem with services reading the cookie.
addons.mozilla.org tells me this: Set-Cookie: AMOv3=xxx; path=/; secure; HttpOnly
We're using standard domain cookies which means they are only accessible on AMO. We could switch them to *.AMO but that means any other subdomain could see them, including FAMO, BAMO, PAMO, LAMO, and all the rest. I don't trust any of those to see sessions. We may need to XHR this data in after the page load.
Why don't you trust those to see sessions? It seems like accessing the AMO session from other subdomains will be desirable and possibly necessary in the future.
FAMO is one of the most widely targeted and exploited forums on the market, BAMO has a questionable past regarding security, PAMO is not always tested code and can have exploits on it. I don't see lifting the restriction.
So, -> potch for front end stuff. If you need someone to make you a back end chunk, let us know.
Assignee: clouserw → thepotch
Priority: P2 → P3
I'm taking this. Our cookie issues aren't resolved yet, but we're doing it the right way so it'll make this much better once we solve it.
Assignee: thepotch → clouserw
Target Milestone: 5.12.2 → 5.12.3
Well, the cookie is cross domain now, so this should just work. We won't know until it's in production though and you'll probably need to log out/in.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Although I can't verify this _in prod_, I've verified that https://addons.allizom.org/en-US/firefox/discovery/3.6/Linux and the like pay attention to our logged-in/logged-out state, and reflect that correctly, on next/preview. I'll verify post-push.
I spun off bug 613574 to cover SAMO.
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.