You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using [Dream.set_secret secret; Dream.cookie_sessions] within a scope ("/app") and this works in the sense that the set-cookie header is not output until a request in this scope is made. However, the path in the set-cookie header is always "/", so all subsequent requests (including outside the scope) send the cookie.
Perhaps I have a misunderstanding (I'm new at this) but I expected the path in the set-cookie to be the scope's path ("/app") so that cookies are only sent for requests in that scope. Maybe this is harmless, but I'm not sure.
The text was updated successfully, but these errors were encountered:
Thank you! @jumpnbrownweasel I understand that you are referring to a scope in the sense of the router, that is Dream.scope. This refers only to grouping middlewares and routes under a certain path, as per the docs:
Groups routes under a common path prefix and middlewares. Middlewares are run only if a route matches.
What you are probably looking for is a scope for your entire app, which in Dream's terms is the site prefix, implemented by Dream.with_site_prefix. This affects the paths emitted for (secure, by default) cookies:
Removes the given prefix from the path in each request, and adds it to the request prefix. Responds with 502 Bad Gateway if the path does not have the expected prefix.
This is for applications that are not running at the root (/) of their domain. The default is "/", for no prefix. After with_site_prefix, routing is done relative to the prefix, and the prefix is also necessary for emitting secure cookies.
I'm not sure if this is the right API -- please comment if you have an opinion!
There should probably be a link in the docs from Dream.scope to Dream.with_site_prefix so that people can find the right function, as getting this wrong can have security implications for the Web app, as, of course, you saw in this issue!
I'm using [Dream.set_secret secret; Dream.cookie_sessions] within a scope ("/app") and this works in the sense that the set-cookie header is not output until a request in this scope is made. However, the path in the set-cookie header is always "/", so all subsequent requests (including outside the scope) send the cookie.
Perhaps I have a misunderstanding (I'm new at this) but I expected the path in the set-cookie to be the scope's path ("/app") so that cookies are only sent for requests in that scope. Maybe this is harmless, but I'm not sure.
The text was updated successfully, but these errors were encountered: