matt fowler created UNOMI-553:
---------------------------------
Summary: Add unomi session cookie options to web tracker to
improve support of websites that use directories in the url with no intention
of isolation.
Key: UNOMI-553
URL: https://issues.apache.org/jira/browse/UNOMI-553
Project: Apache Unomi
Issue Type: Improvement
Reporter: matt fowler
The unomiSessionId cookie will get created by the web tracker if it is not
already present. The creation of this cookie is done with help from the
'component-cookie' , which in turn uses document.cookie to create it.
If the url being requested is something like "http://example.com"; then the
document.cookie will automatically create the unomiSessionId cookie with a path
of '/'. This allows the cookie to be accessed throughout the rest of the
session, even if the user goes to sub directories in the url such as
"http://example.com/dir1/index.html";.
However, if there isn't a unomiSessionId cookie present, and the first page
that a user accesses is within a sub directory , such as
"http://example.com/dir1/index.html"; , then the unomiSessionId gets created
with a path of /dir1 . This is the default behavior of document.cookie when
the document is a directory off of the main url. Since the unomiSessionId
cookie now has a path of /dir1 , if the end user were to navigate to any other
directory such as http://example.com/dir2/index.html or to the root url of
http://example.com/ then a new session Id is created because the cookie is only
readable off of the path of /dir1.
This behavior can be beneficial in some situations, but there are many cases
where a site will have multiple sub directories with no intention of having
isolation between each of them. The expected behavior in this scenario would
be that a user coming in to http://example.com/dir1/index.html gets a session
Id that remains throughout the entire interaction of http://example.com no
matter what the path. Today that is not possible, a new session Id will be
created with each visit to a new directory UNTIL they finally hit the base url
, which will then cause a unomiSessionId cookie with a path of '/' which then
can be used by all sub directories.
Proposed Fix:
Not sure if we want to change the default behavior in case this is working as
intended for existing implementations. The proposed fix would be to have a
unomiOption which could force the session cookie to use a custom path. Due to
the library being used, it also might make sense to just allow for all of the
cookie options to be exposed as a unomi option. resulting in something like :
var unomiOption = {
scope: 'my-scope',
url: 'unomi-url',
sessionCookieOptions: {
path: '/',
domain:'',
expires:'',
secure:true,
maxage:''
}
};
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
