Hard Coded Cookie Path
Locked
 
|
Hello Folks,
During the code walkthrough, I observed that everywhere the cookie path attribute is hardcoded as root '/' using the setPath() method. This is not the correct implementation because if the cookie path is set to the root '/', then the cookie will be sent to all the application under the same domain. Is there any best practice around this? Should it be configurable? IMO, the cookie path should be set to '/users/' directory. WDYT? Thanks! Deepak Nigam HotWax Systems Pvt. Ltd |
|
|
Hi Deepak
That largely depends on the use case whether to set cookie path as the root of the web server or not. Yes, generally, it is preferred to keep the cookies separate for the various web apps deployed on the server. In OFBiz case, various web applications are deployed on separate mount points and if you take, for example, the case of visitor cookie, then it makes sense to keep it's path as root because a visitor (same person) visiting order manager and accounting should be counted as a same and single visitor. You do not want server to create a new visitor cookie for order manager if the user has already visited accounting. Browser will send the visitor cookie as part of request to order manager that helps OFBiz identify the visitor. Often certain other use cases demand server session to be maintained across different web applications. Imagine a scenario where you log in to a parent web application and then a separate module is part of a different web application and you navigate to the sub module from the parent module. You would ideally want the session cookie to be "transferred" from parent web app to sub web app. Here you will have to make sure the session cookie created by the server has the path "/" set. If that is not the case, then navigating from parent web app to sub web app will result in session loss. So, all in all, it is mostly based on your scenario. I hope that makes sense. Thanks, Girish Vasmatkar HotWax Systems On Thu, Oct 4, 2018 at 4:57 PM Deepak Nigam <[hidden email]> wrote: > Hello Folks, > > During the code walkthrough, I observed that everywhere the cookie path > attribute is hardcoded as root '/' using the setPath() method. This is not > the correct implementation because if the cookie path is set to the root > '/', then the cookie will be sent to all the application under the same > domain. > > Is there any best practice around this? Should it be configurable? > IMO, the cookie path should be set to '/users/' directory. WDYT? > > > Thanks! > > Deepak Nigam > HotWax Systems Pvt. Ltd > |
|
|
Thanks Girish for the explanation.
What should be the best way to set cookie path for an e-commerce application? On Fri, Oct 5, 2018 at 10:48 AM Girish Vasmatkar < [hidden email]> wrote: > Hi Deepak > > That largely depends on the use case whether to set cookie path as the root > of the web server or not. Yes, generally, it is preferred to keep the > cookies separate for the various web apps deployed on the server. > > In OFBiz case, various web applications are deployed on separate mount > points and if you take, for example, the case of visitor cookie, then it > makes sense to keep it's path as root because a visitor (same person) > visiting order manager and accounting should be counted as a same and > single visitor. You do not want server to create a new visitor cookie for > order manager if the user has already visited accounting. > > Browser will send the visitor cookie as part of request to order manager > that helps OFBiz identify the visitor. > > Often certain other use cases demand server session to be maintained across > different web applications. Imagine a scenario where you log in to a parent > web application and then a separate module is part of a different web > application and you navigate to the sub module from the parent module. You > would ideally want the session cookie to be "transferred" from parent web > app to sub web app. Here you will have to make sure the session cookie > created by the server has the path "/" set. If that is not the case, then > navigating from parent web app to sub web app will result in session loss. > > So, all in all, it is mostly based on your scenario. I hope that makes > sense. > > Thanks, > Girish Vasmatkar > HotWax Systems > > > On Thu, Oct 4, 2018 at 4:57 PM Deepak Nigam <[hidden email]> > wrote: > > > Hello Folks, > > > > During the code walkthrough, I observed that everywhere the cookie path > > attribute is hardcoded as root '/' using the setPath() method. This is > not > > the correct implementation because if the cookie path is set to the root > > '/', then the cookie will be sent to all the application under the same > > domain. > > > > Is there any best practice around this? Should it be configurable? > > IMO, the cookie path should be set to '/users/' directory. WDYT? > > > > > > Thanks! > > > > Deepak Nigam > > HotWax Systems Pvt. Ltd > > > |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |