From 623c000e7995a00c9444659a189e48671cc6972d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torsten=20Irl=C3=A4nder?= <torsten.irlaender@googlemail.com>
Date: Wed, 21 Jun 2017 11:41:40 +0200
Subject: [PATCH 1/2] Make `wild_domain` for AuthTktAuthenticationPolicy
 configurable

See
http://docs.pylonsproject.org/projects/pyramid/en/latest/api/authentication.html
for more details. For security reasons the wildcard on domains for cookies can
	be disabled.
---
 ringo/lib/security.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ringo/lib/security.py b/ringo/lib/security.py
index df8f3724..5d65fcb7 100644
--- a/ringo/lib/security.py
+++ b/ringo/lib/security.py
@@ -162,6 +162,7 @@ def setup_ringo_security(config):
     domain = settings.get("security.cookie_domain")
     httponly = settings.get("security.cookie_httponly", "false") == "true"
     cookie_name = settings.get("security.cookie_name", "auth_tkt")
+    wild_domain = settings.get("security.cookie_domain_wildcard", "true") == "true"
     authn_policy = AuthTktAuthenticationPolicy(secret,
                                                secure=secure,
                                                hashalg='sha512',
@@ -171,6 +172,7 @@ def setup_ringo_security(config):
                                                include_ip=include_ip,
                                                path=path,
                                                domain=domain,
+                                               wild_domain=wild_domain,
                                                http_only=httponly,
                                                cookie_name=cookie_name)
     authz_policy = ACLAuthorizationPolicy()

From 82c9a1d18d34527102c97f880c6f5716fe94d595 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torsten=20Irl=C3=A4nder?= <torsten.irlaender@googlemail.com>
Date: Wed, 21 Jun 2017 11:47:46 +0200
Subject: [PATCH 2/2] Added documentation on config option of domain wildcard.

---
 docs/source/start.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/source/start.rst b/docs/source/start.rst
index 8f6304ef..41a33afd 100644
--- a/docs/source/start.rst
+++ b/docs/source/start.rst
@@ -2151,6 +2151,12 @@ security.cookie_domain
         Defaults to the current domain and all subdomains (is automatically determined by the
         server). The scope of the cookie will bound to a specific domain.
 
+security.cookie_domain_wildcard
+        Defaults to `true` An auth_tkt cookie will be generated for the
+        wildcard domain. If your site is hosted as example.com this will make
+        the cookie available for sites underneath example.com such as
+        www.example.com.
+
 security.cookie_name
         Defaults to 'auth_tkt'. Needs to be set in case you have multiple
         ringo applications on the same server.