Current time: 08-24-2019, 01:20 AM Hello There, Guest! (LoginRegister)

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Cookie Scoping
07-13-2010, 07:53 PM (This post was last modified: 07-13-2010 08:39 PM by calumfodder.)
Post: #1
Cookie Scoping
Best practice is to serve static content without cookies attached.

To achieve this people generally split static content out to a cookie free domain.

Is there a way to serve both dynamic (with cookies) and static content (without cookies) from the same domain? ie. is it possible to scope cookies by resource as well as by domain/sub-domain?
Answering my own question (maybe I should have seached a little longer), it would seem that provision for this already exists by setting the 'path' attribute on the cookie.

Setting the path attribute to a subset of the urls being served by a domain allows for the tightening of the scope of a cookie.
So we can split the site like so:
my.example.com/dynamic
my.example.com/static
Then limit the cookie to a domain of my.example.com and a path of /dynamic

This should mean that browsers will not supply a cookie when requesting resources from my.example.com/static

Are there any pitfalls (eg. lack of browser support) to using the path attribute on a cookie?
Find all posts by this user
Quote this message in a reply
07-13-2010, 09:01 PM
Post: #2
RE: Cookie Scoping
The path works fine across browsers but the problem comes when you want to use the cookie higher in the tree (say at your root for http://www.mypage.com). If you can partition all of your paths so all of the dynamic content is always in a subfolder then that would work fine.
Visit this user's website Find all posts by this user
Quote this message in a reply
07-13-2010, 09:51 PM
Post: #3
RE: Cookie Scoping
With Coldfusion, you can have an Application.cfm file in multiple directories. I usually declare the cfapplication cookie settings in these files. If you have an Application.cfm file in your subdirectory that does not use cookies, then it may be possible that the cookie information is not passed when an image is accessed in the subdirectory. I know a file only reads the innermost Application.cfm file so if you had two files, one in your main directory and one in the image subdirectory, the one in your main directory would not get processed when you read a file in the image subdirectory. I usually use a subdirectory for static resources so cookie information is not passed in that situation.
Find all posts by this user
Quote this message in a reply
07-13-2010, 10:38 PM
Post: #4
RE: Cookie Scoping
Actually, the cookie path applies cookies to anything under the path so if a cookie is used at the top-level then even if your app doesn't use it the browser is sending cookies for requests for your static content.

For example, if you set a cookie to /foo

Then:

/foo/bar/some_static_file - would get the cookies
/static/otherfile - would not get the cookies

This is why it becomes problematic because usually you want tthe cookies to be available for your base page at / which means that it would get applied to everythiong on the domain.
Visit this user's website Find all posts by this user
Quote this message in a reply
07-13-2010, 10:43 PM
Post: #5
RE: Cookie Scoping
(07-13-2010 09:01 PM)pmeenan Wrote:  The path works fine across browsers but the problem comes when you want to use the cookie higher in the tree (say at your root for http://www.mypage.com). If you can partition all of your paths so all of the dynamic content is always in a subfolder then that would work fine.

Ok so I guess its then down to a design choice for how the site is laid out then as it would be simple to 301 / to a subfolder such as home for the index page.
Thanks
Find all posts by this user
Quote this message in a reply
07-14-2010, 02:22 AM
Post: #6
RE: Cookie Scoping
Hey Guys,

I want to explain myself a little further.

Test Page:

Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<img src="searsCoupon.png" />
</body>
</html>

Exhibit A: http://www.webpagetest.org/result/100713...imization/
example.com/test/cookie1/test.cfm
Exhibit B: http://www.webpagetest.org/result/100713...imization/
example.com/test/cookie2/test.cfm

Exhibit A does not pass cookie information with the image and Exhibit B does do this.

Example.com has an Application.cfm file at the root directory that includes this line that enables cookies on the website:

Code:
<cfapplication applicationtimeout="#createTimeSpan(0,1,0,0)#" clientmanagement="yes" name="#myAppName#"
sessionmanagement="#sessionManagement#" sessiontimeout="#sessionTimeout#" clientstorage="cookie">

In the cookie1 directory, there is another Application.cfm file that is blank. However, it overrides the root directory Application.cfm file. Cookies never get set for Exhibit A because of this.

Sincerely,
Travis Walters
Find all posts by this user
Quote this message in a reply
07-14-2010, 03:23 AM
Post: #7
RE: Cookie Scoping
Sort of but if you look at Exhibit B, the path for the cookies themselves is actually / so if you ever visit another page on the site (ANYWHERE), the cookie that was set in Exhibit B will be sent up with all requests (including for static content). It also means that any requests for static objects regardless of their path (if they are on the same domain) will include the cookies.

I think what your test shows is just the difference between two apps, one that sets cookies and one that doesn't.

Thanks,

-Pat
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)