[albatross-users] [bug] cookie path is never set

Matt Goodall matt at pollenation.net
Tue Aug 5 02:16:00 EST 2003 

I think I just came across a small bug in the cookie handling caused 
because session.py never sets a path for the cookie so the browser 
assumes the cookie is bound to the current URL's path.

In a random mode app the page name can include paths (they map to Python 
packages) and as you wander around the application's pages Albatross is 
setting multiple cookies. Below are some examples of what the (implicit) 
cookie path is for some made up URLs:

    /home, cookie path = /
    /help, cookie path = /
    /nested/something, cookie path=/nested
    /nested/another, cookie path=/nested

So now we've got two cookies set with different paths (/ and /nested) 
and they may not have the same session id.

If the / cookie is set first then the browser will send that cookie back 
to the server when one of the /nested/ pages is visited, Albatross will 
retrieve the session id and then set another cookie with a path of 
/nested. In this case there are multiple cookies but each one has the 
same session id - a bit messy but not a great problem.

However, if the /nested cookie is set first then it will not be sent 
back to the server for the /home and /help URLs. That causes Albatross 
to create a new session and set a cookie for it with a path of /. After 
that, depending on where you are in the app, you will be using one of 
two cookies and hence one of two sessions.

I'm pretty sure the fix is just to explicitly set a cookie path. It 
should be possible to use the base_uri to work out a path to use. I'll 
see what I can come up with if noone else gets there first.

Note that this bug is unlikely to affect non-random apps since they 
don't use page paths. However, I have definitely seen a case where I had 
two cookies set for a non-random application which caused all sorts of 
fun with session management. I didn't know why it was happening at the 
time and couldn't pin it down. I still have no idea how I managed to get 
the cookies in that state but now I know what caused it ;-).

Cheers, Matt

-- 
Matt Goodall, Pollenation Internet Ltd
w: http://www.pollenationinternet.com
e: matt at pollenation.net
t: +44 (0)113 2252500

More information about the Albatross-users mailing list