You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@unomi.apache.org by "matt fowler (Jira)" <ji...@apache.org> on 2022/02/25 16:12:00 UTC
[jira] [Created] (UNOMI-553) Add unomi session cookie options to web tracker to improve support of websites that use directories in the url with no intention of isolation.
matt fowler created UNOMI-553:
---------------------------------
Summary: Add unomi session cookie options to web tracker to improve support of websites that use directories in the url with no intention of isolation.
Key: UNOMI-553
URL: https://issues.apache.org/jira/browse/UNOMI-553
Project: Apache Unomi
Issue Type: Improvement
Reporter: matt fowler
The unomiSessionId cookie will get created by the web tracker if it is not already present. The creation of this cookie is done with help from the 'component-cookie' , which in turn uses document.cookie to create it.
If the url being requested is something like "http://example.com" then the document.cookie will automatically create the unomiSessionId cookie with a path of '/'. This allows the cookie to be accessed throughout the rest of the session, even if the user goes to sub directories in the url such as "http://example.com/dir1/index.html".
However, if there isn't a unomiSessionId cookie present, and the first page that a user accesses is within a sub directory , such as "http://example.com/dir1/index.html" , then the unomiSessionId gets created with a path of /dir1 . This is the default behavior of document.cookie when the document is a directory off of the main url. Since the unomiSessionId cookie now has a path of /dir1 , if the end user were to navigate to any other directory such as http://example.com/dir2/index.html or to the root url of http://example.com/ then a new session Id is created because the cookie is only readable off of the path of /dir1.
This behavior can be beneficial in some situations, but there are many cases where a site will have multiple sub directories with no intention of having isolation between each of them. The expected behavior in this scenario would be that a user coming in to http://example.com/dir1/index.html gets a session Id that remains throughout the entire interaction of http://example.com no matter what the path. Today that is not possible, a new session Id will be created with each visit to a new directory UNTIL they finally hit the base url , which will then cause a unomiSessionId cookie with a path of '/' which then can be used by all sub directories.
Proposed Fix:
Not sure if we want to change the default behavior in case this is working as intended for existing implementations. The proposed fix would be to have a unomiOption which could force the session cookie to use a custom path. Due to the library being used, it also might make sense to just allow for all of the cookie options to be exposed as a unomi option. resulting in something like :
var unomiOption = {
scope: 'my-scope',
url: 'unomi-url',
sessionCookieOptions: {
path: '/',
domain:'',
expires:'',
secure:true,
maxage:''
}
};
--
This message was sent by Atlassian Jira
(v8.20.1#820001)