You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Deepak Nigam <de...@gmail.com> on 2018/11/15 04:45:23 UTC

Re: Hard Coded Cookie Path

Thanks Girish for the explanation.

What should be the best way to set cookie path for an e-commerce
application?

On Fri, Oct 5, 2018 at 10:48 AM Girish Vasmatkar <
girish.vasmatkar@hotwaxsystems.com> wrote:

> Hi Deepak
>
> That largely depends on the use case whether to set cookie path as the root
> of the web server or not. Yes, generally, it is preferred to keep the
> cookies separate for the various web apps deployed on the server.
>
> In OFBiz case, various web applications are deployed on separate mount
> points and if you take, for example, the case of visitor cookie, then it
> makes sense to keep it's path as root because a visitor (same person)
> visiting order manager and accounting should be counted as a same and
> single visitor. You do not want server to create a new visitor cookie for
> order manager if the user has already visited accounting.
>
> Browser will send the visitor cookie as part of request to order manager
> that helps OFBiz identify the visitor.
>
> Often certain other use cases demand server session to be maintained across
> different web applications. Imagine a scenario where you log in to a parent
> web application and then a separate module is part of a different web
> application and you navigate to the sub module from the parent module. You
> would ideally want the session cookie to be "transferred" from parent web
> app to sub web app. Here you will have to make sure the session cookie
> created by the server has the path "/" set. If that is not the case, then
> navigating from parent web app to sub web app will result in session loss.
>
> So, all in all, it is mostly based on your scenario. I hope that makes
> sense.
>
> Thanks,
> Girish Vasmatkar
> HotWax Systems
>
>
> On Thu, Oct 4, 2018 at 4:57 PM Deepak Nigam <de...@gmail.com>
> wrote:
>
> > Hello Folks,
> >
> > During the code walkthrough, I observed that everywhere the cookie path
> > attribute is hardcoded as root '/' using the setPath() method. This is
> not
> > the correct implementation because if the cookie path is set to the root
> > '/', then the cookie will be sent to all the application under the same
> > domain.
> >
> > Is there any best practice around this? Should it be configurable?
> > IMO, the cookie path should be set to '/users/' directory. WDYT?
> >
> >
> > Thanks!
> >
> > Deepak Nigam
> > HotWax Systems Pvt. Ltd
> >
>