Hard Coded Cookie Path

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Hard Coded Cookie Path

deepak nigam-2
Hello Folks,

During the code walkthrough, I observed that everywhere the cookie path
attribute is hardcoded as root '/' using the setPath() method. This is not
the correct implementation because if the cookie path is set to the root
'/', then the cookie will be sent to all the application under the same
domain.

Is there any best practice around this? Should it be configurable?
IMO, the cookie path should be set to '/users/' directory. WDYT?


Thanks!

Deepak Nigam
HotWax Systems Pvt. Ltd
grv
Reply | Threaded
Open this post in threaded view
|

Re: Hard Coded Cookie Path

grv
Hi Deepak

That largely depends on the use case whether to set cookie path as the root
of the web server or not. Yes, generally, it is preferred to keep the
cookies separate for the various web apps deployed on the server.

In OFBiz case, various web applications are deployed on separate mount
points and if you take, for example, the case of visitor cookie, then it
makes sense to keep it's path as root because a visitor (same person)
visiting order manager and accounting should be counted as a same and
single visitor. You do not want server to create a new visitor cookie for
order manager if the user has already visited accounting.

Browser will send the visitor cookie as part of request to order manager
that helps OFBiz identify the visitor.

Often certain other use cases demand server session to be maintained across
different web applications. Imagine a scenario where you log in to a parent
web application and then a separate module is part of a different web
application and you navigate to the sub module from the parent module. You
would ideally want the session cookie to be "transferred" from parent web
app to sub web app. Here you will have to make sure the session cookie
created by the server has the path "/" set. If that is not the case, then
navigating from parent web app to sub web app will result in session loss.

So, all in all, it is mostly based on your scenario. I hope that makes
sense.

Thanks,
Girish Vasmatkar
HotWax Systems


On Thu, Oct 4, 2018 at 4:57 PM Deepak Nigam <[hidden email]>
wrote:

> Hello Folks,
>
> During the code walkthrough, I observed that everywhere the cookie path
> attribute is hardcoded as root '/' using the setPath() method. This is not
> the correct implementation because if the cookie path is set to the root
> '/', then the cookie will be sent to all the application under the same
> domain.
>
> Is there any best practice around this? Should it be configurable?
> IMO, the cookie path should be set to '/users/' directory. WDYT?
>
>
> Thanks!
>
> Deepak Nigam
> HotWax Systems Pvt. Ltd
>
Reply | Threaded
Open this post in threaded view
|

Re: Hard Coded Cookie Path

deepak nigam-2
Thanks Girish for the explanation.

What should be the best way to set cookie path for an e-commerce
application?

On Fri, Oct 5, 2018 at 10:48 AM Girish Vasmatkar <
[hidden email]> wrote:

> Hi Deepak
>
> That largely depends on the use case whether to set cookie path as the root
> of the web server or not. Yes, generally, it is preferred to keep the
> cookies separate for the various web apps deployed on the server.
>
> In OFBiz case, various web applications are deployed on separate mount
> points and if you take, for example, the case of visitor cookie, then it
> makes sense to keep it's path as root because a visitor (same person)
> visiting order manager and accounting should be counted as a same and
> single visitor. You do not want server to create a new visitor cookie for
> order manager if the user has already visited accounting.
>
> Browser will send the visitor cookie as part of request to order manager
> that helps OFBiz identify the visitor.
>
> Often certain other use cases demand server session to be maintained across
> different web applications. Imagine a scenario where you log in to a parent
> web application and then a separate module is part of a different web
> application and you navigate to the sub module from the parent module. You
> would ideally want the session cookie to be "transferred" from parent web
> app to sub web app. Here you will have to make sure the session cookie
> created by the server has the path "/" set. If that is not the case, then
> navigating from parent web app to sub web app will result in session loss.
>
> So, all in all, it is mostly based on your scenario. I hope that makes
> sense.
>
> Thanks,
> Girish Vasmatkar
> HotWax Systems
>
>
> On Thu, Oct 4, 2018 at 4:57 PM Deepak Nigam <[hidden email]>
> wrote:
>
> > Hello Folks,
> >
> > During the code walkthrough, I observed that everywhere the cookie path
> > attribute is hardcoded as root '/' using the setPath() method. This is
> not
> > the correct implementation because if the cookie path is set to the root
> > '/', then the cookie will be sent to all the application under the same
> > domain.
> >
> > Is there any best practice around this? Should it be configurable?
> > IMO, the cookie path should be set to '/users/' directory. WDYT?
> >
> >
> > Thanks!
> >
> > Deepak Nigam
> > HotWax Systems Pvt. Ltd
> >
>