Re: [Cppcms-users] The role of cookie path
Brought to you by:
artyom-beilis
Menu
▾
▴
Re: [Cppcms-users] The role of cookie path
|
From: CN <cn...@fa...> - 2016-07-12 17:13:23
|
On Mon, Jul 11, 2016, at 10:07 PM, Artyom Beilis wrote:
> I see,
>
> does it happend with server side session storage?
No. I have been always using only client side storage.
This is the complete and real server configuration parameter "session":
"session":{
"location":"client",
"expire":"renew",
"timeout":2592000,
"cookies":{
"prefix":"prefix"
},
"client":{
"hmac":"sha512",
"hmac_key":"(redacted)",
"cbc":"aes192",
"cbc_key":"(redacted)"
}
},
> Can you track all the requests using browser debugger and see what is
> transferred in each request.
Yes, browser development tool shows only one "network" entry. Although I
feel the information it reveals is not quite useful, they are as
follows:
1 requests
168 B transferred
Name:http://localhost:82/da/1/t4_722/f3/1/f2/2009-10-28%2000%3A00%3A00%2B08/f1/1
Type:document
Initiator:82/script/download.html
Size:168 B
Time:7 ms
Here are the real URL's sent from client to server:
URL "/normal" is redacted from this real URL:
<a href="/crud/6108" target="_blank"></a>
window.location.replace("/special") is redacted from this real
javascript:
window.location.replace("/da/1/t4_722/f3/1/f2/2009-10-28%2000%3A00%3A00%2B08/f1/1");
The following two server codes
void normal_page::main(std::string url)
{
//"url" holds "normal".
for(auto const &c : request().cookies())
BOOSTER_DEBUG("COOKIES") << c.first << "==>" <<
c.second.value();
BOOSTER_DEBUG("1 is logged") << request().is_set("my_cookie");
}
void download::main(std::string url)
{
//"url" holds "special".
for(auto const &c : request().cookies())
BOOSTER_DEBUG("COOKIES") << c.first << "==>" <<
c.second.value();
BOOSTER_DEBUG("0 is logged") << request().is_set("my_cookie");
}
and browser development tool all show the following same real cookie
"prefix":
CO5HS8grAi6Oa6qAqt97ZN2lIS8DDuI2OihXBV_YI-60u6zi9dbmdHb-w1XljS0HYDPlAD8AF_z2yJm2-1O0kWNtYrnxgGBGsZ8Oh0rXusajLV8-d2IK4x7mpVAedpzOcYhuuRDsHMcfdC0sXJvdTTSPy2_Q5bC9qPYzCn_kHLM90CdnqkkV_u41KpUK3XC-cm5XL82VPVKZL9UcI_Bm81-AWlP-lp-9R5HKBnfVr8FVN9-U20Y7L73wA0WFPEzEF
> What you are telling me is quite strage.
>
I am not sure if this helps..
int main(int argc,char **argv){
...
s.applications_pool().mount(cppcms::create_pool<normal_page>(),cppcms::mount_point(cppcms::mount_point::match_path_info,"^/(?:crud)/(\\d+)",1),cppcms::app::synchronous);
s.applications_pool().mount(cppcms::create_pool<download>(),cppcms::mount_point("/da/(.+)",1),cppcms::app::asynchronous);
...
}
window.location.replace() is called from the page requested from URL
"/crud/6108".
As I mentioned earlier in this thread,
(1) Server recognizes all incoming cookies when it receives various
requests manually sent from user's mouse clicks on buttons in the page
requested from URL "/crud/6108".
(2) Server denies the existence of incoming cookies only when the
requested URL is initiated by javascript call
window.location.replace(). Both Chrome and Firefox are treated by server
in the same way.
(3) Regardless of which initiation method from client, server prints the
same signed and encrypted cookie value named "prefix".
Best Regards,
CN
--
http://www.fastmail.com - The way an email service should be
|
