Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Default cookie to / #444

Closed
wants to merge 1 commit into from

5 participants

@ambs
Owner

Refactored PR from old @bigpresh branch.
Shouldn't hurt.

@ambs
Owner

The alternative is this commit: 01baec5

@xsawyerx, whose do you prefer?

@xsawyerx
Owner

What does the RFC specify?

@bigpresh
Owner

http://tools.ietf.org/html/rfc6265#section-5.2.4 says:

If the attribute-value is empty or if the first character of the attribute-value is not %x2F ("/"):

Let cookie-path be the default-path.

http://tools.ietf.org/html/rfc6265#section-5.1.4 explains how the default-path should be calculated - but it will be based on the URL requested.

For e.g. if the cookie is being set as a result of a request for /foo/bar, the default-path for the cookie would be '/foo/bar- so it would *not* be sent in future requests for e.g./baror/foo/baz` - which is somewhat surprising behaviour for most users.

Defaulting to / makes cookies behave the way I think most people would expect it to behave in the absence of a specified path.

@ambs
Owner

I would say that with my vote and @bigpresh one, we could just merge, but I'll be a good boy and wait for @xsawyerx :+1:

@xsawyerx
Owner

Since this is not an urgent issue, I'd rather we not rush into it.
I generally believe going by the RFC is best. In case of surprised users, we can point to it and show we're not trying to be clever. If someone is already used to the RFC, we're screwing with them, and that won't be taken fondly.

@shumphrey
Owner

If I read D1 correctly, it defaults to '/' if not otherwise specified.
@xsawyerx have you had any more thoughts on RFC vs intuitiveness?

@xsawyerx
Owner

Will review today. @shumphrey thanks for poking!

@ambs
Owner

@xsawyerx, one week, so, poking again :)

@veryrusty veryrusty modified the milestone: 0.13, 0.11
@veryrusty
Owner

Pr #121 changed the default value of Dancer2::Core::Cookie->path to be '/', which makes this Pr unnecessary. Closing :)

@veryrusty veryrusty closed this
@veryrusty veryrusty deleted the pr/default_cookie_path branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 8, 2013
  1. @ambs

    Default cookie to /

    ambs authored
This page is out of date. Refresh to see the latest.
Showing with 2 additions and 2 deletions.
  1. +2 −2 lib/Dancer2/Core/Cookie.pm
View
4 lib/Dancer2/Core/Cookie.pm
@@ -44,9 +44,9 @@ sub to_header {
my $no_httponly = defined( $self->http_only ) && $self->http_only == 0;
my @headers = $self->name . '=' . $value;
- push @headers, "path=" . $self->path if $self->path;
+ push @headers, "path=" . $self->path || '/';
push @headers, "expires=" . $self->expires if $self->expires;
- push @headers, "domain=" . $self->domain if $self->domain;
+ push @headers, "domain=" . $self->domain if $self->domain;
push @headers, "Secure" if $self->secure;
push @headers, 'HttpOnly' unless $no_httponly;
Something went wrong with that request. Please try again.