Discussion:
Hard Coded Cookie Path
Deepak Nigam
2018-10-04 11:27:00 UTC
Permalink
Hello Folks,

During the code walkthrough, I observed that everywhere the cookie path
attribute is hardcoded as root '/' using the setPath() method. This is not
the correct implementation because if the cookie path is set to the root
'/', then the cookie will be sent to all the application under the same
domain.

Is there any best practice around this? Should it be configurable?
IMO, the cookie path should be set to '/users/' directory. WDYT?


Thanks!

Deepak Nigam
HotWax Systems Pvt. Ltd
Girish Vasmatkar
2018-10-05 05:17:51 UTC
Permalink
Hi Deepak

That largely depends on the use case whether to set cookie path as the root
of the web server or not. Yes, generally, it is preferred to keep the
cookies separate for the various web apps deployed on the server.

In OFBiz case, various web applications are deployed on separate mount
points and if you take, for example, the case of visitor cookie, then it
makes sense to keep it's path as root because a visitor (same person)
visiting order manager and accounting should be counted as a same and
single visitor. You do not want server to create a new visitor cookie for
order manager if the user has already visited accounting.

Browser will send the visitor cookie as part of request to order manager
that helps OFBiz identify the visitor.

Often certain other use cases demand server session to be maintained across
different web applications. Imagine a scenario where you log in to a parent
web application and then a separate module is part of a different web
application and you navigate to the sub module from the parent module. You
would ideally want the session cookie to be "transferred" from parent web
app to sub web app. Here you will have to make sure the session cookie
created by the server has the path "/" set. If that is not the case, then
navigating from parent web app to sub web app will result in session loss.

So, all in all, it is mostly based on your scenario. I hope that makes
sense.

Thanks,
Girish Vasmatkar
HotWax Systems
Post by Deepak Nigam
Hello Folks,
During the code walkthrough, I observed that everywhere the cookie path
attribute is hardcoded as root '/' using the setPath() method. This is not
the correct implementation because if the cookie path is set to the root
'/', then the cookie will be sent to all the application under the same
domain.
Is there any best practice around this? Should it be configurable?
IMO, the cookie path should be set to '/users/' directory. WDYT?
Thanks!
Deepak Nigam
HotWax Systems Pvt. Ltd
Deepak Nigam
2018-11-15 04:45:23 UTC
Permalink
Thanks Girish for the explanation.

What should be the best way to set cookie path for an e-commerce
application?

On Fri, Oct 5, 2018 at 10:48 AM Girish Vasmatkar <
Post by Girish Vasmatkar
Hi Deepak
That largely depends on the use case whether to set cookie path as the root
of the web server or not. Yes, generally, it is preferred to keep the
cookies separate for the various web apps deployed on the server.
In OFBiz case, various web applications are deployed on separate mount
points and if you take, for example, the case of visitor cookie, then it
makes sense to keep it's path as root because a visitor (same person)
visiting order manager and accounting should be counted as a same and
single visitor. You do not want server to create a new visitor cookie for
order manager if the user has already visited accounting.
Browser will send the visitor cookie as part of request to order manager
that helps OFBiz identify the visitor.
Often certain other use cases demand server session to be maintained across
different web applications. Imagine a scenario where you log in to a parent
web application and then a separate module is part of a different web
application and you navigate to the sub module from the parent module. You
would ideally want the session cookie to be "transferred" from parent web
app to sub web app. Here you will have to make sure the session cookie
created by the server has the path "/" set. If that is not the case, then
navigating from parent web app to sub web app will result in session loss.
So, all in all, it is mostly based on your scenario. I hope that makes
sense.
Thanks,
Girish Vasmatkar
HotWax Systems
Post by Deepak Nigam
Hello Folks,
During the code walkthrough, I observed that everywhere the cookie path
attribute is hardcoded as root '/' using the setPath() method. This is
not
Post by Deepak Nigam
the correct implementation because if the cookie path is set to the root
'/', then the cookie will be sent to all the application under the same
domain.
Is there any best practice around this? Should it be configurable?
IMO, the cookie path should be set to '/users/' directory. WDYT?
Thanks!
Deepak Nigam
HotWax Systems Pvt. Ltd
Loading...