Thanks Girish for the explanation. What should be the best way to set cookie path for an e-commerce application?
On Fri, Oct 5, 2018 at 10:48 AM Girish Vasmatkar < girish.vasmat...@hotwaxsystems.com> wrote: > Hi Deepak > > That largely depends on the use case whether to set cookie path as the root > of the web server or not. Yes, generally, it is preferred to keep the > cookies separate for the various web apps deployed on the server. > > In OFBiz case, various web applications are deployed on separate mount > points and if you take, for example, the case of visitor cookie, then it > makes sense to keep it's path as root because a visitor (same person) > visiting order manager and accounting should be counted as a same and > single visitor. You do not want server to create a new visitor cookie for > order manager if the user has already visited accounting. > > Browser will send the visitor cookie as part of request to order manager > that helps OFBiz identify the visitor. > > Often certain other use cases demand server session to be maintained across > different web applications. Imagine a scenario where you log in to a parent > web application and then a separate module is part of a different web > application and you navigate to the sub module from the parent module. You > would ideally want the session cookie to be "transferred" from parent web > app to sub web app. Here you will have to make sure the session cookie > created by the server has the path "/" set. If that is not the case, then > navigating from parent web app to sub web app will result in session loss. > > So, all in all, it is mostly based on your scenario. I hope that makes > sense. > > Thanks, > Girish Vasmatkar > HotWax Systems > > > On Thu, Oct 4, 2018 at 4:57 PM Deepak Nigam <deepak.nigam1...@gmail.com> > wrote: > > > Hello Folks, > > > > During the code walkthrough, I observed that everywhere the cookie path > > attribute is hardcoded as root '/' using the setPath() method. This is > not > > the correct implementation because if the cookie path is set to the root > > '/', then the cookie will be sent to all the application under the same > > domain. > > > > Is there any best practice around this? Should it be configurable? > > IMO, the cookie path should be set to '/users/' directory. WDYT? > > > > > > Thanks! > > > > Deepak Nigam > > HotWax Systems Pvt. Ltd > > >