This document describes the additional cookies used internally by the WebLogin script, which are not part of the general WebAuth protocol.
WebLogin Test Cookie
The first time a user goes to the WebLogin server, it tries to set a cookie with the name WebloginTestCookie and makes sure the browser returns that cookie. This cookie is a session cookie to try to match the behavior of the protocol cookies that WebAuth uses. It will have the value "True". If this cookie isn't set after the user authenticates, WebLogin will assume that the browser doesn't support cookies and will try to display an appropriate error message.
If WebLogin is configured to optionally allow Apache authentication before falling back to a username and password, it uses a cookie to store that user preference. See doc/weblogin-flow for more information about the page flow when optional REMOTE_USER is enabled.
The name of this cookie is weblogin_remuser and it will be set to either "1" or to an empty value (the latter only if the user has explicitly turned REMOTE_USER authentication off). Unlike all of the other cookies used by WebAuth, this is intended to be a persistant preference and is therefore not a session cookie. The lifetime is set to 365 days by default (set at the top of the login.fcgi script -- currently, this is not a configurable parameter).
If this cookie is already present and WebLogin isn't changing its value due to changed user configuration, WebLogin will reset it with an updated expiration date. That way, the cookie will still expire if the user stops using that WebLogin server, but provided that they use the server at least once a year, the cookie will not expire.
- Copyright 2007, 2009
The Board of Trustees of the Leland Stanford Junior University
Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without any warranty.