[albatross-users] [bug] cookie path is never set

Dave Cole djc at object-craft.com.au
Thu Aug 7 22:00:13 EST 2003 

> I think I just came across a small bug in the cookie handling caused
> because session.py never sets a path for the cookie so the browser
> assumes the cookie is bound to the current URL's path.
> 
> In a random mode app the page name can include paths (they map to
> Python packages) and as you wander around the application's pages
> Albatross is setting multiple cookies. Below are some examples of
> what the (implicit) cookie path is for some made up URLs:
> 
>     /home, cookie path = /
>     /help, cookie path = /
>     /nested/something, cookie path=/nested
>     /nested/another, cookie path=/nested
> 
> So now we've got two cookies set with different paths (/ and
> /nested) and they may not have the same session id.

Ooops.

> If the / cookie is set first then the browser will send that cookie
> back to the server when one of the /nested/ pages is visited,
> Albatross will retrieve the session id and then set another cookie
> with a path of /nested. In this case there are multiple cookies but
> each one has the same session id - a bit messy but not a great problem.

Ooops.

> However, if the /nested cookie is set first then it will not be sent
> back to the server for the /home and /help URLs. That causes
> Albatross to create a new session and set a cookie for it with a
> path of /. After that, depending on where you are in the app, you
> will be using one of two cookies and hence one of two sessions.

Ooops.

> I'm pretty sure the fix is just to explicitly set a cookie path. It
> should be possible to use the base_uri to work out a path to
> use. I'll see what I can come up with if noone else gets there
> first.

I think you are correct.  I think you might beat everyone.

> Note that this bug is unlikely to affect non-random apps since they
> don't use page paths. However, I have definitely seen a case where I
> had two cookies set for a non-random application which caused all
> sorts of fun with session management. I didn't know why it was
> happening at the time and couldn't pin it down. I still have no idea
> how I managed to get the cookies in that state but now I know what
> caused it ;-).

Strange.  I have never seen that happen.  What browser are you using?

- Dave

-- 
http://www.object-craft.com.au

More information about the Albatross-users mailing list