[
https://issues.apache.org/jira/browse/UNOMI-553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
matt fowler updated UNOMI-553:
------------------------------
Description:
The unomiSessionId cookie will get created by the web tracker if it is not
already present. The creation of this cookie is done with help from the
'component-cookie' , which in turn uses document.cookie to create it.
If the url being requested is something like "http://example.com"; then the
document.cookie will automatically create the unomiSessionId cookie with a path
of '/'. This allows the cookie to be accessed throughout the rest of the
session, even if the user goes to sub directories in the url such as
"http://example.com/dir1/index.html";.
However, if there isn't a unomiSessionId cookie present, and the first page
that a user accesses is within a sub directory , such as
"http://example.com/dir1/index.html"; , then the unomiSessionId gets created
with a path of /dir1 . This is the default behavior of document.cookie when
the document is a directory off of the main url. Since the unomiSessionId
cookie now has a path of /dir1 , if the end user were to navigate to any other
directory such as [http://example.com/dir2/index.html] or to the root url of
[http://example.com/] then a new session Id is created because the cookie is
only readable off of the path of /dir1.
This behavior can be beneficial in some situations, but there are many cases
where a site will have multiple sub directories with no intention of having
isolation between each of them. The expected behavior in this scenario would
be that a user coming in to [http://example.com/dir1/index.html] gets a
session Id that remains throughout the entire interaction of
[http://example.com|http://example.com/] no matter what the path. Today that
is not possible, a new session Id will be created with each visit to a new
directory UNTIL they finally hit the base url , which will then cause a
unomiSessionId cookie with a path of '/' which then can be used by all sub
directories.
Proposed Fix:
Not sure if we want to change the default behavior in case this is working as
intended for existing implementations. The proposed fix would be to have a
unomiOption which could force the session cookie to use a custom path. Due to
the library being used, it also might make sense to just allow for all of the
cookie options to be exposed as a unomi option. resulting in something like :
var unomiOption = {
scope: 'my-scope',
url: 'unomi-url',
sessionCookieOptions:
{
path: '/',
domain:'',
expires:'',
secure:,
maxage:''
}
};
was:
The unomiSessionId cookie will get created by the web tracker if it is not
already present. The creation of this cookie is done with help from the
'component-cookie' , which in turn uses document.cookie to create it.
If the url being requested is something like "http://example.com"; then the
document.cookie will automatically create the unomiSessionId cookie with a path
of '/'. This allows the cookie to be accessed throughout the rest of the
session, even if the user goes to sub directories in the url such as
"http://example.com/dir1/index.html";.
However, if there isn't a unomiSessionId cookie present, and the first page
that a user accesses is within a sub directory , such as
"http://example.com/dir1/index.html"; , then the unomiSessionId gets created
with a path of /dir1 . This is the default behavior of document.cookie when
the document is a directory off of the main url. Since the unomiSessionId
cookie now has a path of /dir1 , if the end user were to navigate to any other
directory such as http://example.com/dir2/index.html or to the root url of
http://example.com/ then a new session Id is created because the cookie is only
readable off of the path of /dir1.
This behavior can be beneficial in some situations, but there are many cases
where a site will have multiple sub directories with no intention of having
isolation between each of them. The expected behavior in this scenario would
be that a user coming in to http://example.com/dir1/index.html gets a session
Id that remains throughout the entire interaction of http://example.com no
matter what the path. Today that is not possible, a new session Id will be
created with each visit to a new directory UNTIL they finally hit the base url
, which will then cause a unomiSessionId cookie with a path of '/' which then
can be used by all sub directories.
Proposed Fix:
Not sure if we want to change the default behavior in case this is working as
intended for existing implementations. The proposed fix would be to have a
unomiOption which could force the session cookie to use a custom path. Due to
the library being used, it also might make sense to just allow for all of the
cookie options to be exposed as a unomi option. resulting in something like :
var unomiOption = {
scope: 'my-scope',
url: 'unomi-url',
sessionCookieOptions: {
path: '/',
domain:'',
expires:'',
secure:true,
maxage:''
}
};
> Add unomi session cookie options to web tracker to improve support of
> websites that use directories in the url with no intention of isolation.
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: UNOMI-553
> URL: https://issues.apache.org/jira/browse/UNOMI-553
> Project: Apache Unomi
> Issue Type: Improvement
> Reporter: matt fowler
> Priority: Minor
>
> The unomiSessionId cookie will get created by the web tracker if it is not
> already present. The creation of this cookie is done with help from the
> 'component-cookie' , which in turn uses document.cookie to create it.
> If the url being requested is something like "http://example.com"; then the
> document.cookie will automatically create the unomiSessionId cookie with a
> path of '/'. This allows the cookie to be accessed throughout the rest of
> the session, even if the user goes to sub directories in the url such as
> "http://example.com/dir1/index.html";.
> However, if there isn't a unomiSessionId cookie present, and the first page
> that a user accesses is within a sub directory , such as
> "http://example.com/dir1/index.html"; , then the unomiSessionId gets created
> with a path of /dir1 . This is the default behavior of document.cookie when
> the document is a directory off of the main url. Since the unomiSessionId
> cookie now has a path of /dir1 , if the end user were to navigate to any
> other directory such as [http://example.com/dir2/index.html] or to the root
> url of [http://example.com/] then a new session Id is created because the
> cookie is only readable off of the path of /dir1.
> This behavior can be beneficial in some situations, but there are many cases
> where a site will have multiple sub directories with no intention of having
> isolation between each of them. The expected behavior in this scenario would
> be that a user coming in to [http://example.com/dir1/index.html] gets a
> session Id that remains throughout the entire interaction of
> [http://example.com|http://example.com/] no matter what the path. Today that
> is not possible, a new session Id will be created with each visit to a new
> directory UNTIL they finally hit the base url , which will then cause a
> unomiSessionId cookie with a path of '/' which then can be used by all sub
> directories.
> Proposed Fix:
> Not sure if we want to change the default behavior in case this is working as
> intended for existing implementations. The proposed fix would be to have a
> unomiOption which could force the session cookie to use a custom path. Due
> to the library being used, it also might make sense to just allow for all of
> the cookie options to be exposed as a unomi option. resulting in something
> like :
> var unomiOption = {
> scope: 'my-scope',
> url: 'unomi-url',
> sessionCookieOptions:
> {
> path: '/',
> domain:'',
> expires:'',
> secure:,
> maxage:''
> }
> };
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
