> -----Original Message-----
> From: Greg Ward
>
> I've just discovered a teensy little flaw in Quixote's session
> management code: if the SESSION_COOKIE_PATH config variable is not set,
> then Quixote sets the cookie without a "Path" parameter, e.g.:
>
> Set-Cookie: QX_session="..."
>
> which means the browser is only supposed to send that session cookie to
> URLs that are "under" the URL that sent the cookie in the first place.
> So if the first request in a session is deep in an application's
> URL-space, then the session cookie will not be sent for requests that
> are higher up.
>
> Eg. if my application is at "/bugs/", and the first request is for
> "/bugs/0123/", then my browser will send the session cookie to
> "/bugs/0123/edit", but not to "/bugs/0124/" or to the application root,
> "/bugs/".
>
> The fix is pretty obvious: make the default session cookie path the URL
> of the application root, which is conveniently available in
> SCRIPT_NAME. Patch attached. With this patch, the above Set-Cookie
> header would be
>
> Set-Cookie: QX_session="..."; Path="/bugs/"
>
> This has subtle security implications, since it could widen the scope of
> session cookies. If anyone is really relying on this bug, they deserve
> what's coming. ;-) (And they should set SESSION_COOKIE_PATH, but doing
> that will not reproduce the current behaviour. I very much that the
> current behaviour is desirable for anyone; it certainly wasn't
> intentional when I wrote the code!)
>
> Greg
I have made it run but after applying the patch to revoke_session_cookie, too.
( Was the attachment the complete patch?)
Someone in somewhere wrote:
"""
Note that some clients require a path
to be specified - this path must exactly match the path given
when creating the cookie.
"""
This must be my case.
(Tested on SCGI 1.1 and Mozilla 1.5).
Anyway, I think is good to be able to start (restart) a session from any point
in the application, as a default behavior.
Oscar Rambla
CODI