[albatross-users] [bug] cookie path is never set
Dave Cole
djc at object-craft.com.au
Thu Aug 7 22:00:13 EST 2003
> I think I just came across a small bug in the cookie handling caused
> because session.py never sets a path for the cookie so the browser
> assumes the cookie is bound to the current URL's path.
>
> In a random mode app the page name can include paths (they map to
> Python packages) and as you wander around the application's pages
> Albatross is setting multiple cookies. Below are some examples of
> what the (implicit) cookie path is for some made up URLs:
>
> /home, cookie path = /
> /help, cookie path = /
> /nested/something, cookie path=/nested
> /nested/another, cookie path=/nested
>
> So now we've got two cookies set with different paths (/ and
> /nested) and they may not have the same session id.
Ooops.
> If the / cookie is set first then the browser will send that cookie
> back to the server when one of the /nested/ pages is visited,
> Albatross will retrieve the session id and then set another cookie
> with a path of /nested. In this case there are multiple cookies but
> each one has the same session id - a bit messy but not a great problem.
Ooops.
> However, if the /nested cookie is set first then it will not be sent
> back to the server for the /home and /help URLs. That causes
> Albatross to create a new session and set a cookie for it with a
> path of /. After that, depending on where you are in the app, you
> will be using one of two cookies and hence one of two sessions.
Ooops.
> I'm pretty sure the fix is just to explicitly set a cookie path. It
> should be possible to use the base_uri to work out a path to
> use. I'll see what I can come up with if noone else gets there
> first.
I think you are correct. I think you might beat everyone.
> Note that this bug is unlikely to affect non-random apps since they
> don't use page paths. However, I have definitely seen a case where I
> had two cookies set for a non-random application which caused all
> sorts of fun with session management. I didn't know why it was
> happening at the time and couldn't pin it down. I still have no idea
> how I managed to get the cookies in that state but now I know what
> caused it ;-).
Strange. I have never seen that happen. What browser are you using?
- Dave
--
http://www.object-craft.com.au
More information about the Albatross-users
mailing list