Raivo Laanemets. Software consultant.

Multiple session cookies with no path


Recently I debugged an issue with session cookies. Multiple sessions and session cookies started appearing for a single user when browsing the web application. It took quite little time to figure this out with the Chrome debugger: all cookies had different Path option.

Comes out that sending a cookie without the Path option makes the browser use the current request URL path as its value. The cookie is sent back to server only when the cookie path matches the request URL as a prefix. This makes requests with different paths sometime not send back the existing cookie and will receive a new one from the server. This behavior is described in RFC6265 sections 4.1.2.4 and 5.1.4. Setting the Path option to / solved the problem.

Old code to emit the Set-Cookie header (Prolog):

format('Set-Cookie: ~w=~w; Expires=~w\r\n',
  [KeyEncoded, ValueEncoded, ExpireDate]).

Fixed code:

format('Set-Cookie: ~w=~w; Path=/; Expires=~w\r\n',
  [KeyEncoded, ValueEncoded, ExpireDate]).

Comments

No comments have been added so far.

Email is not displayed anywhere.
URLs (max 3) starting with http:// or https:// can be used. Use @Name to mention someone.