No WWW « Trevor Power

I have never really thought about it before, but I hardly ever type ‘WWW’ into an address bar. Out of habit I skip this part of any URL. It has never caused me any problems till this week, for one of my own websites.

As I’ve said in an earlier post, I have added OpenID support to one of my websites. I used the DotNetOpenId library. This library made the development very easy and was up and running in no time on my development machine. But recently I have published the website to a live server and things haven’t been going that smoothly.

When a user provides an OpenID the url they entered must be stored on your server while the client is directed to the third party OpenID provider. This is to do with the fact that the url might redirect to another url/provider for authentication and in this case the original ulr/id may not come back when authenticated. To store the original url on the server I just bunged it into the session (I believe this is standard practice). However when I tested it on the live server I would always get an error because the session would be empty.

I then noticed that if from the error page, I try to log in again it would succeed. Eventually I figured out what was going on. The return address I was providing was of the form ‘www.mysite.com’ while I always typed ‘mysite.com’ when testing. Switching from the non ‘WWW’ version to the ‘WWW’ version of the url caused the session to be cleared.

Another problem is that when being authenticated by an OpenID provider, the relying party must provide a ‘realm’ that the user is authenticated for. The realm is basically the domain of the relying party website. The problem is that ‘www.mysite.com’ is not considered part of the ‘mysite.com’ realm.

This means that to keep things simple I had to decide which address I was going to use and redirect one to the other. The choice was made simple because no-www.org had some good arguments and the yes-www.org website was down (or maybe I forgot the www).

Redirecting turned out to be easier than I thought (I didn’t need to contact hosting provider). I just added a ‘.htaccess‘ file to the root of my directory with the following lines

RewriteEngine OnRewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

This tip I got from no-www.org.

This entry was posted on November 8, 2008, 05:40 and is filed under Software Development. You can follow any responses to this entry through RSS 2.0. Both comments and pings are currently closed.

#1 by Andrew on November 9, 2008 - 01:55

Hi Trevor,

There shouldn’t be a need to store what the OpenID the user typed in in your Session state. Instead, you should be looking at the IAuthenticationResponse’s ClaimedIdentifier and FriendlyIdentifierForDisplay properties and using those when the user logs in.
In general, you should never store the text value the user typed in because doing so introduces several security problems that could allow attackers to spoof identity of your users.

I would hope that would solve your www vs. no-www problem as well.

#2 by Trevor Power on November 9, 2008 - 17:35

Hi Andrew,

Thanks for the tip. I will make your suggested changes. But I will keep the redirect to avoid problems with the ‘realm’.

Dani: Hi Trev, As promised I paid a visit to your blog I have to say that the Tadmap project looks really interesting....
ircguru: Nice Post, btw do you know any good [url=http://maillistarchives.c om]usenet archives and or mailing list...
chris: good one ;D
Declan Meenagh: Did you get any update on this? I am doing a project on the G1 and I'm looking for options to get it...
Webmonkey-in-Ireland: Hi Trevor, thanks for the Twitter follow. Just in case it helps- you can fully mock HttpContext...

Trevor Power

Software development and other thoughts

No WWW

2 Comments

Comments are closed.

Twitter

Recent Comments