#179 HTTP cookies expire even when sub-paths recently visited

[Mike Brown]

From Kia Vang on 2003-10-12:

Currently, there is no mechanism for setting the
session cookie path. This presents a problem when you
have a path-base request URL scheme.

For example, if I visit http://foo.com/ and login as a
user, a session cookie is set for the path '/' (ie.
default path). Let's say this cookie has a timeout
(max-age) of X seconds. Now, if I visit
http://foo.com/apples/, a NEW (ie. different) session
cookie is set for the path '/apples/' with a time-out
of also X seconds. Now, if after X seconds I return to
http://foo.com/, the session cookie that the browser
sends is the FIRST cookie (ie. the cookie for path '/',
not path '/apples/'). This cookie has expired even
though I was being 'active' under the path /apples/.

What should happen when I visit http://foo.com/apples/
after logging in as a user, is for the original cookie
to have it's time-out reset to X seconds. A new cookie
should not be created for the new /apples/ path. I
believe this is the expected behaviour.

[ Ft/Server/Server/Http/Session.py has not been updated
since this report was posted on the 4suite mailing list ]