Home/ Questions/Q 778213
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T19:43:44+00:00

I’m trying to set a session cookie restricted to a particular path (let’s say

  • 0

I’m trying to set a session cookie restricted to a particular path (let’s say /foo) when a user logs in. The complication being that the login page is on /, but the request immediately redirects to /foo/something. Something like this:

Request:

POST / HTTP/1.1

username=foo&password=bar

Response:

HTTP/1.0 302 Found
Location: http://example.com/foo/home
Set-Cookie: session=whatever; path=/foo

However, the relevant bits of the RFCs I could find (rfc2109 and rfc2965) say this:

To prevent possible security or privacy violations, a user agent
rejects a cookie (shall not store its information) if any of the
following is true:

  • The value for the Path attribute is not a prefix of the request-
    URI.

The cookie-setting process described above seems to work okay, but as far as I can tell the RFCs are saying it shouldn’t.

I’d like to use this in a production system, but I really don’t want to do that if I’m going to face horrible browser incompatibility problems later.

Am I misreading the RFCs?

Thanks in advance!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Don’t pay any attention to those RFCs; they diverge from reality pretty badly.

    There’s currently an IETF WG that’s documenting actual cookie behaviour; their document, while just a draft, is much better source material.

    See:
    http://datatracker.ietf.org/doc/draft-ietf-httpstate-cookie/

    If you don’t find text that addresses your question in the draft, bring it up with the Working Group!

    • 0