Hi Deepak

That largely depends on the use case whether to set cookie path as the root
of the web server or not. Yes, generally, it is preferred to keep the
cookies separate for the various web apps deployed on the server.

In OFBiz case, various web applications are deployed on separate mount
points and if you take, for example, the case of visitor cookie, then it
makes sense to keep it's path as root because a visitor (same person)
visiting order manager and accounting should be counted as a same and
single visitor. You do not want server to create a new visitor cookie for
order manager if the user has already visited accounting.

Browser will send the visitor cookie as part of request to order manager
that helps OFBiz identify the visitor.

Often certain other use cases demand server session to be maintained across
different web applications. Imagine a scenario where you log in to a parent
web application and then a separate module is part of a different web
application and you navigate to the sub module from the parent module. You
would ideally want the session cookie to be "transferred" from parent web
app to sub web app. Here you will have to make sure the session cookie
created by the server has the path "/" set. If that is not the case, then
navigating from parent web app to sub web app will result in session loss.

So, all in all, it is mostly based on your scenario. I hope that makes
sense.

Thanks,
Girish Vasmatkar
HotWax Systems


On Thu, Oct 4, 2018 at 4:57 PM Deepak Nigam <deepak.nigam1...@gmail.com>
wrote:

> Hello Folks,
>
> During the code walkthrough, I observed that everywhere the cookie path
> attribute is hardcoded as root '/' using the setPath() method. This is not
> the correct implementation because if the cookie path is set to the root
> '/', then the cookie will be sent to all the application under the same
> domain.
>
> Is there any best practice around this? Should it be configurable?
> IMO, the cookie path should be set to '/users/' directory. WDYT?
>
>
> Thanks!
>
> Deepak Nigam
> HotWax Systems Pvt. Ltd
>

Reply via email to