Skip to content

Loading…

Default cookie to / #444

Closed
wants to merge 1 commit into from

5 participants

@ambs
PerlDancer member

Refactored PR from old @bigpresh branch.
Shouldn't hurt.

@ambs
PerlDancer member

The alternative is this commit: 01baec5

@xsawyerx, whose do you prefer?

@xsawyerx
PerlDancer member

What does the RFC specify?

@bigpresh
PerlDancer member

http://tools.ietf.org/html/rfc6265#section-5.2.4 says:

If the attribute-value is empty or if the first character of the attribute-value is not %x2F ("/"):

Let cookie-path be the default-path.

http://tools.ietf.org/html/rfc6265#section-5.1.4 explains how the default-path should be calculated - but it will be based on the URL requested.

For e.g. if the cookie is being set as a result of a request for /foo/bar, the default-path for the cookie would be '/foo/bar- so it would *not* be sent in future requests for e.g./baror/foo/baz` - which is somewhat surprising behaviour for most users.

Defaulting to / makes cookies behave the way I think most people would expect it to behave in the absence of a specified path.

@ambs
PerlDancer member

I would say that with my vote and @bigpresh one, we could just merge, but I'll be a good boy and wait for @xsawyerx :+1:

@xsawyerx
PerlDancer member

Since this is not an urgent issue, I'd rather we not rush into it.
I generally believe going by the RFC is best. In case of surprised users, we can point to it and show we're not trying to be clever. If someone is already used to the RFC, we're screwing with them, and that won't be taken fondly.

@shumphrey

If I read D1 correctly, it defaults to '/' if not otherwise specified.
@xsawyerx have you had any more thoughts on RFC vs intuitiveness?

@xsawyerx
PerlDancer member

Will review today. @shumphrey thanks for poking!

@ambs
PerlDancer member

@xsawyerx, one week, so, poking again :)

@veryrusty veryrusty modified the milestone: 0.13, 0.11
@veryrusty
PerlDancer member

Pr #121 changed the default value of Dancer2::Core::Cookie->path to be '/', which makes this Pr unnecessary. Closing :)

@veryrusty veryrusty closed this
@veryrusty veryrusty deleted the pr/default_cookie_path branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 8, 2013
  1. @ambs

    Default cookie to /

    ambs committed
This page is out of date. Refresh to see the latest.
Showing with 2 additions and 2 deletions.
  1. +2 −2 lib/Dancer2/Core/Cookie.pm
View
4 lib/Dancer2/Core/Cookie.pm
@@ -44,9 +44,9 @@ sub to_header {
my $no_httponly = defined( $self->http_only ) && $self->http_only == 0;
my @headers = $self->name . '=' . $value;
- push @headers, "path=" . $self->path if $self->path;
+ push @headers, "path=" . $self->path || '/';
push @headers, "expires=" . $self->expires if $self->expires;
- push @headers, "domain=" . $self->domain if $self->domain;
+ push @headers, "domain=" . $self->domain if $self->domain;
push @headers, "Secure" if $self->secure;
push @headers, 'HttpOnly' unless $no_httponly;
Something went wrong with that request. Please try again.