Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

path is always "/" in set-cookie within scope #237

Open
jumpnbrownweasel opened this issue Jul 10, 2022 · 1 comment
Open

path is always "/" in set-cookie within scope #237

jumpnbrownweasel opened this issue Jul 10, 2022 · 1 comment
Assignees
Milestone

Comments

@jumpnbrownweasel
Copy link

jumpnbrownweasel commented Jul 10, 2022

I'm using [Dream.set_secret secret; Dream.cookie_sessions] within a scope ("/app") and this works in the sense that the set-cookie header is not output until a request in this scope is made. However, the path in the set-cookie header is always "/", so all subsequent requests (including outside the scope) send the cookie.

Perhaps I have a misunderstanding (I'm new at this) but I expected the path in the set-cookie to be the scope's path ("/app") so that cookies are only sent for requests in that scope. Maybe this is harmless, but I'm not sure.

@aantron aantron added this to the alpha6 milestone Apr 17, 2023
@aantron
Copy link
Owner

aantron commented Apr 26, 2023

Thank you! @jumpnbrownweasel I understand that you are referring to a scope in the sense of the router, that is Dream.scope. This refers only to grouping middlewares and routes under a certain path, as per the docs:

Groups routes under a common path prefix and middlewares. Middlewares are run only if a route matches.

What you are probably looking for is a scope for your entire app, which in Dream's terms is the site prefix, implemented by Dream.with_site_prefix. This affects the paths emitted for (secure, by default) cookies:

Removes the given prefix from the path in each request, and adds it to the request prefix. Responds with 502 Bad Gateway if the path does not have the expected prefix.

This is for applications that are not running at the root (/) of their domain. The default is "/", for no prefix. After with_site_prefix, routing is done relative to the prefix, and the prefix is also necessary for emitting secure cookies.

I'm not sure if this is the right API -- please comment if you have an opinion!

There should probably be a link in the docs from Dream.scope to Dream.with_site_prefix so that people can find the right function, as getting this wrong can have security implications for the Web app, as, of course, you saw in this issue!

@aantron aantron self-assigned this Apr 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants