fix #1407

Former-commit-id: acd8d582aab7b278ea99d0f02d79a33a8b5ee86f

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,5 +1,5 @@
 # We'd love to see more contributions
 
-Read how you can [contribute to the project](https://github.com/kataras/blob/master/CONTRIBUTING.md).
+Read how you can [contribute to the project](https://github.com/kataras/iris/blob/master/CONTRIBUTING.md).
 
 > Please attach an [issue](https://github.com/kataras/iris/issues) link which your PR solves otherwise your work may be rejected.

go.mod

@@ -29,6 +29,7 @@ require (
 	github.com/ryanuber/columnize v2.1.0+incompatible
 	github.com/schollz/closestmatch v2.1.0+incompatible
 	golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413
+	golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553
 	golang.org/x/text v0.3.0
 	gopkg.in/ini.v1 v1.51.0
 	gopkg.in/yaml.v2 v2.2.2

sessions/cookie.go

@@ -8,6 +8,8 @@ import (
 	"time"
 
 	"github.com/kataras/iris/v12/context"
+
+	"golang.org/x/net/publicsuffix"
 )
 
 var (
@@ -90,32 +92,50 @@ func IsValidCookieDomain(domain string) bool {
 	return true
 }
 
+// func formatCookieDomain(ctx context.Context, disableSubdomainPersistence bool) string {
+// 	if disableSubdomainPersistence {
+// 		return ""
+// 	}
+
+// 	requestDomain := ctx.Host()
+// 	if portIdx := strings.IndexByte(requestDomain, ':'); portIdx > 0 {
+// 		requestDomain = requestDomain[0:portIdx]
+// 	}
+
+// 	if !IsValidCookieDomain(requestDomain) {
+// 		return ""
+// 	}
+
+// 	// RFC2109, we allow level 1 subdomains, but no further
+// 	// if we have localhost.com , we want the localhost.com.
+// 	// so if we have something like: mysubdomain.localhost.com we want the localhost here
+// 	// if we have mysubsubdomain.mysubdomain.localhost.com we want the .mysubdomain.localhost.com here
+// 	// slow things here, especially the 'replace' but this is a good and understable( I hope) way to get the be able to set cookies from subdomains & domain with 1-level limit
+// 	if dotIdx := strings.IndexByte(requestDomain, '.'); dotIdx > 0 {
+// 		// is mysubdomain.localhost.com || mysubsubdomain.mysubdomain.localhost.com
+// 		if strings.IndexByte(requestDomain[dotIdx+1:], '.') > 0 {
+// 			requestDomain = requestDomain[dotIdx+1:]
+// 		}
+// 	}
+
+// 	// finally set the .localhost.com (for(1-level) || .mysubdomain.localhost.com (for 2-level subdomain allow)
+// 	return "." + requestDomain // . to allow persistence
+// }
+
 func formatCookieDomain(ctx context.Context, disableSubdomainPersistence bool) string {
 	if disableSubdomainPersistence {
 		return ""
 	}
 
-	requestDomain := ctx.Host()
+	host := ctx.Host()
-	if portIdx := strings.IndexByte(requestDomain, ':'); portIdx > 0 {
+	if portIdx := strings.IndexByte(host, ':'); portIdx > 0 {
-		requestDomain = requestDomain[0:portIdx]
+		host = host[0:portIdx]
 	}
 
-	if !IsValidCookieDomain(requestDomain) {
+	domain, err := publicsuffix.EffectiveTLDPlusOne(host)
-		return ""
+	if err != nil {
+		return "." + host
 	}
 
-	// RFC2109, we allow level 1 subdomains, but no further
+	return "." + domain
-	// if we have localhost.com , we want the localhost.com.
-	// so if we have something like: mysubdomain.localhost.com we want the localhost here
-	// if we have mysubsubdomain.mysubdomain.localhost.com we want the .mysubdomain.localhost.com here
-	// slow things here, especially the 'replace' but this is a good and understable( I hope) way to get the be able to set cookies from subdomains & domain with 1-level limit
-	if dotIdx := strings.IndexByte(requestDomain, '.'); dotIdx > 0 {
-		// is mysubdomain.localhost.com || mysubsubdomain.mysubdomain.localhost.com
-		if strings.IndexByte(requestDomain[dotIdx+1:], '.') > 0 {
-			requestDomain = requestDomain[dotIdx+1:]
-		}
-	}
-
-	// finally set the .localhost.com (for(1-level) || .mysubdomain.localhost.com (for 2-level subdomain allow)
-	return "." + requestDomain // . to allow persistence
 }