Consumer cookie handling use cases

[Kevin Frender <kevin.frender@oracle.com>]

Hello all,

Sorry to take so long to get the use-cases out for this.  As I 
understand the issue, we have a mis-match between different consumers' 
handling of cookies set by producer portlets and how they are shared 
with other producers accessed by the consumer for the same user.

Use case 1: sharing cookies with other producers.

A consumer is consuming portlets from producer A and producer B; if one 
of the portlets on producer A sets an authentication cookie for 
single-sign-on functionality, portlets on producer B would want to 
receive that cookie to prevent the user from having to authenticate with 
a portlet on producer B as well.

Use case 2: isolating cookies to individual producers

A consumer is consuming portlets from producer C and producer D.  A 
portlet on producer C may set the same cookie name (with different 
semantics) as a portlet on producer D; these cookies ideally would not 
collide but be provided to each producer as they were set for that producer.

Alternately, producer C and D may be from different organizations, and 
authentication-type cookies should not be shared between the producers 
for security reasons.


I believe both are valid use-cases.

  Kevin