Hacker News new | ask | show | jobs
by tipsysquid 2245 days ago
I can't say for certain why this bug is exposed by NYTimes; however, I saw a comment on HN about trailing dots on domain names[1] being a browser implementation quirk.

The author of that article suggests that NYTimes may have misconfigured their Apache VirtualHost.

[1] http://www.dns-sd.org/TrailingDotsInDomainNames.html
1 comments
crankylinuxuser 2245 days ago
It's simpler than that. I'd disagree that it's a site config bug. I think this is intended operation with respect to browsers.

Your browser won't allow access to cookies of "nytimes.com" to the "nytimes.com." domain, as because they are different. "nytimes.com" is ambiguous.

If you were on the "example.com." network , and you typed in nytimes.com , it could be nytimes.com. OR nytimes.com.example.com.

link
tipsysquid 2245 days ago
Based on what you are saying though, you lead me to believe that the NYTimes wants this behavior to occur, which I doubt.

If they want to paywall access to their site but adding a dot to the domain causes it to be bypassed, then it is misconfigured in some way, regardless of cookies.

link
crankylinuxuser 2245 days ago
> Based on what you are saying though, you lead me to believe that the NYTimes wants this behavior to occur, which I doubt.

Not at all. We wouldn't expect reddit.com. to share cookies with news.ycombinator.com. The browser enforces that hard separation between the 2 domains with respect to access to cookies and such.

Thats the same split with nytimes.com and nytimes.com. . The browser sees them as 2 distinct domains, and will absolutely not let cookies cross.

> If they want to paywall access to their site but adding a dot to the domain causes it to be bypassed, then it is misconfigured in some way, regardless of cookies.

It's their choice (nytimes) to not do a paywall for a 'new potential customer'. And that data is stored in cookies. You can simulate that by purging all nytimes cookies and you can access as no initial paywall.

Going to their FQDN is a 'different domain' with respect to the browser and its cookie store. So its only logical that you start 'fresh' (aka: no cookie history). And there's nothing that I know of that can allow cookie sharing... Then again I do systems administration.

link
tipsysquid 2245 days ago
>It's their choice (nytimes) to not do a paywall for a 'new potential customer'. And that data is stored in cookies. You can simulate that by purging all nytimes cookies and you can access as no initial paywall.

Thank you for clarifying. I hadn't considered that NYTimes may not show paywall for a 'new potential customer' since I am all to familiar with their paywall.

link