Cookie path should be set explicitly (was: Sessions not working over 302 redirect) about cowboy2_session HOT 2 CLOSED

It's like this:

1. I had some older code that was doing set-cookie from /auth/github, which Firefox remembered as path=/auth/github
2. Because of the better match, it would send that cookie first, and we'd successfully update that session.
3. Back on the home page, it would send the original cookie (implicitly path=/), which didn't match the session.

"But Roger", you say, "you've been restarting the app frequently, surely you'd create a new session, to avoid session fixation attacks with the permissive mode? See https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-id-generation-and-verification-permissive-and-strict-session-management if you don't know what I'm referring to."

"You're correct", I say, "I am doing that, but each time we issue a new session, it implicitly gets reissued with the broken path, and we see the same behaviour again".

tl;dr: the browser defaults the cookie path to the current location; set path=/ if you want it to work for the entire site.

from cowboy2_session.

Further information:

• You can't see this in the server; the client sends both session cookies to /auth/github, but it doesn't include the path, so you can't easily see which is which. It sends them ordered by best-match (i.e. longest path prefix match).
• You have to look in the browser; in Firefox, this is in dev tools / storage / cookies. That shows the path, and makes it more obvious.

I don't know whether this is Firefox-specific behaviour.

from cowboy2_session.