[
https://issues.apache.org/jira/browse/UNOMI-553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Serge Huber closed UNOMI-553.
-----------------------------
Fix Version/s: unomi-2.0.0
Resolution: Fixed
New tracker fixes this problem.
> Add unomi session cookie options to web tracker to improve support of
> websites that use directories in the url with no intention of isolation.
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: UNOMI-553
> URL: https://issues.apache.org/jira/browse/UNOMI-553
> Project: Apache Unomi
> Issue Type: Improvement
> Reporter: matt fowler
> Priority: Minor
> Fix For: unomi-2.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The unomiSessionId cookie will get created by the web tracker if it is not
> already present. The creation of this cookie is done with help from the
> 'component-cookie' , which in turn uses document.cookie to create it.
> If the url being requested is something like "http://example.com"; then the
> document.cookie will automatically create the unomiSessionId cookie with a
> path of '/'. This allows the cookie to be accessed throughout the rest of
> the session, even if the user goes to sub directories in the url such as
> "http://example.com/dir1/index.html";.
> However, if there isn't a unomiSessionId cookie present, and the first page
> that a user accesses is within a sub directory , such as
> "http://example.com/dir1/index.html"; , then the unomiSessionId gets created
> with a path of /dir1 . This is the default behavior of document.cookie when
> the document is a directory off of the main url. Since the unomiSessionId
> cookie now has a path of /dir1 , if the end user were to navigate to any
> other directory such as [http://example.com/dir2/index.html] or to the root
> url of [http://example.com/] then a new session Id is created because the
> cookie is only readable off of the path of /dir1.
> This behavior can be beneficial in some situations, but there are many cases
> where a site will have multiple sub directories with no intention of having
> isolation between each of them. The expected behavior in this scenario would
> be that a user coming in to [http://example.com/dir1/index.html] gets a
> session Id that remains throughout the entire interaction of
> [http://example.com|http://example.com/] no matter what the path. Today that
> is not possible, a new session Id will be created with each visit to a new
> directory UNTIL they finally hit the base url , which will then cause a
> unomiSessionId cookie with a path of '/' which then can be used by all sub
> directories.
> Proposed Fix:
> Not sure if we want to change the default behavior in case this is working as
> intended for existing implementations. The proposed fix would be to have a
> unomiOption which could force the session cookie to use a custom path. Due
> to the library being used, it also might make sense to just allow for all of
> the cookie options to be exposed as a unomi option. resulting in something
> like :
> var unomiOption = {
> scope: 'my-scope',
> url: 'unomi-url',
> sessionCookieOptions:
> {
> path: '/',
> domain:'',
> expires:'',
> secure:,
> maxage:''
> }
> };
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
