Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Setting a slash on cookie path?

Tags:

cookies

Is there a best practice whether to set a slash at the end of a cookie path? Is path better than path/ in any way? I found out that both versions result in different cookies, but I don't know which version is preferred.

like image 310
Matthias Avatar asked Mar 21 '16 12:03

Matthias

1 Answers

As far as the server-side goes, this issue (https://bugzilla.mozilla.org/show_bug.cgi?id=469678) states:

Per RFC 2109 the default path of a cookie when set by Set-Cookie is:

Defaults to the path of the request URL that generated the Set-Cookie response, up to, but not including, the right-most /.

So this is one perspective where a trailing slash should not be used.

RFC History

RFC 2109, February 1997, HTTP State Management Mechanism

https://www.rfc-editor.org/rfc/rfc2109

  • See 4.3.1 Interpreting Set-Cookie
  • Defaults to the path of the request URL that generated the Set-Cookie response, up to, but not including, the right-most /.

DON'T include trailing '/'.

RFC 2965, October 2000, HTTP State Management Mechanism

Obsoletes: 2109

https://www.rfc-editor.org/rfc/rfc2965

  • See 3.3.1 Interpreting Set-Cookie2
  • Defaults to the path of the request URL that generated the Set-Cookie2 response, up to and including the right-most /.

DO include trailing '/'.

RFC 6265, April 2011, HTTP State Management Mechanism

Obsoletes: 2965

https://www.rfc-editor.org/rfc/rfc6265#section-5.2.4

  • See 5.1.4. Paths and Path-Match
  • -3. If the uri-path contains no more than one %x2F ("/") character, output %x2F ("/") and skip the remaining step.
  • -4. Output the characters of the uri-path from the first character up to, but not including, the right-most %x2F ("/").

DON'T include trailing '/'.

Client test

On the client, if you use the following code:

document.cookie="a=1"

you get these results from inspecting devtools for each browser (my site had a window.location.pathname="/selenium/tests/testCustomizeColumnsPage.html")

Chrome/71.0.3578   /selenium/tests
Firefox/64.0       /selenium/tests/
Edge               /selenium/tests/
IE11               devtools doesn't show cookies, think the path includes the trailing '/'

So is Chrome wrong here?

Other references:

  • https://github.com/salesforce/tough-cookie/commit/d78d3a3593d1aea1d821d45492297ddf2e990568
  • https://bugzilla.mozilla.org/show_bug.cgi?id=414582
  • https://bugzilla.mozilla.org/show_bug.cgi?id=469678
  • https://bugzilla.mozilla.org/show_bug.cgi?id=537207
like image 135
Paul Grime Avatar answered Sep 19 '22 15:09

Paul Grime
Sign in to Comment

Related questions

Matlab - URLREAD2 - User Agent and Cookies
Preventing AddThis from setting cookies (or documenting the purpose of these)?
Cookie is not saved if system power is interrupted
Prevent Flask from ever sending Set-Cookie?
Single sign on cookie removed by anti spyware software
CookieContainer handling of paths (Who ate my cookie?)
chrome changing cookie path
how to obtain a list of all currently logged-in users (including rememberme cookies) in grails with spring security
CFToken / CFID in Coldfusion 11
Gorilla websocket with cookie authentication
Sessions in dart
How to decrypt `.signed` when the encrypted value is found in the http header instead of in a cookie?
Cookies not sent by browser on same server with different port
iPhone web app, not storing cookie
Response.Cookies gets reset when RedirectToAction is called
Is it possible to implement "Remember Me" using jquery cookies?
Adding cookies to drag and drop
Cookie data size exceeds 4K - But its 'only' 1100 bytes encrypted
Configure two cxf jaxrs clients to use the same session (cookies)
PHP empty session files generated by login system

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!