[tbnl-devel] Session cookie should be set for path=/
Hi! I was hunting a bug. The session cookie was missing on all pages other than the originating page. Then I've looked for the internal representation of the Cookie. My Firefox has stored it with a path value equal to the originating page. I've checke some websites which use session cookies, too. One PHP site has a "path=/" in the Set-Cookie line of the response header. RFC 2109 says about Set-Cookie: Path Defaults to the path of the request URL that generated the Set-Cookie response, up to, but not including, the right-most /. So that's the correct behavior of my browser. For sessions the path should be set to "/" by the server. In session.lisp, function start-session (set-cookie *session-cookie-name* :value (session-cookie-value session)) changed to (set-cookie *session-cookie-name* :value (session-cookie-value session) :path "/") Regards, Stefan
On Thu, 17 Mar 2005 19:46:22 +0100, Stefan Scholl <stesch@no-spoon.de> wrote:
I was hunting a bug. The session cookie was missing on all pages other than the originating page.
Then I've looked for the internal representation of the Cookie. My Firefox has stored it with a path value equal to the originating page.
I've checke some websites which use session cookies, too. One PHP site has a "path=/" in the Set-Cookie line of the response header.
RFC 2109 says about Set-Cookie:
Path Defaults to the path of the request URL that generated the Set-Cookie response, up to, but not including, the right-most /.
So that's the correct behavior of my browser. For sessions the path should be set to "/" by the server.
I've added that to 0.5.1 although I'm not fully convinced that that's the right way. It should probably be customizable. Maybe you don't /want/ the session to be valid for the whole site... Anyway, not today... :) Thanks, Edi.
On Mar 17, 2005, at 4:31 PM, Edi Weitz wrote:
On Thu, 17 Mar 2005 19:46:22 +0100, Stefan Scholl <stesch@no-spoon.de> wrote:
I was hunting a bug. The session cookie was missing on all pages other than the originating page.
Then I've looked for the internal representation of the Cookie. My Firefox has stored it with a path value equal to the originating page.
I've checke some websites which use session cookies, too. One PHP site has a "path=/" in the Set-Cookie line of the response header.
RFC 2109 says about Set-Cookie:
Path Defaults to the path of the request URL that generated the Set-Cookie response, up to, but not including, the right-most /.
So that's the correct behavior of my browser. For sessions the path should be set to "/" by the server.
I've added that to 0.5.1 although I'm not fully convinced that that's the right way. It should probably be customizable. Maybe you don't /want/ the session to be valid for the whole site...
Anyway, not today... :)
I think this might address part of the problem that I was complaining about a couple of weeks ago ("Weird problem with cookies and startup"). I don't think I'll get a chance to test this today, so it'll be a little over a week before I can confirm. Cheers, Bob
Thanks, Edi. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
---- Bob Hutchison -- blogs at <http://www.recursive.ca/hutch/> Recursive Design Inc. -- <http://www.recursive.ca/>
On 2005-03-17 22:31:59, Edi Weitz wrote:
On Thu, 17 Mar 2005 19:46:22 +0100, Stefan Scholl <stesch@no-spoon.de> wrote:
So that's the correct behavior of my browser. For sessions the path should be set to "/" by the server.
I've added that to 0.5.1 although I'm not fully convinced that that's the right way. It should probably be customizable. Maybe you don't /want/ the session to be valid for the whole site...
Depending on the following click path there could be a session without a session cookie. The URL rewriting cares for that. Only the people who are paranoid enough to forbid cookies should be punished by strang URLs. :-) Regards, Stefan
participants (3)
-
Bob Hutchison -
Edi Weitz -
Stefan Scholl