views:

117

answers:

3

Is it safe to use such code?

Response.Cookies[cookieName].Path = Request.ApplicationPath + "/";

I want to know about all corner cases, please...

+2  A: 

If your application runs in the root of a domain, Request.ApplicationPath == "/". Hence, with your code, the path of your cookie will be //. You can dodge around this problem by doing this:

cookie.Path = Request.ApplicationPath;
if (cookie.Path.Length > 1) cookie.Path += '/';

As Will correctly points out, you will want to make sure that your application enforces a consistent casing of URLs (i.e. redirect all requests with URLs containing uppercase letters to their lowercase equivalent).

Other than that, I believe you should be fine doing this. If you want all of your cookies to be "application scoped", consider creating a custom IHttpModule with code like this (or extend global.asax.cs):

private void Application_EndRequest(object sender, EventArgs e)
{
    var app = (HttpApplication)sender;

    var cookiePath = app.Request.ApplicationPath;
    if (cookiePath.Length > 1) cookiePath += '/';

    foreach (string name in app.Response.Cookies.AllKeys)
    {
        var cookie = app.Response.Cookies[name];
        cookie.Path = cookiePath;
    }
}
Jørn Schou-Rode
Redirects are only possible if not POSTs, so developers would have to be very careful to lower-case *all* urls, and virtual folders in IIS - ApplicationPath is made up from them. But as you say, most issues could be mitigated by redirecting mixed case urls to lower case, and using an HttpModule to do that makes best sense. I'd even go as far as failing any attempted POSTs to mixed-case urls that needed to read or set a mixed-case pathed cookie, as it would be lost.
Will
+4  A: 

In short, no, it's not safe. Using cookie paths is fraught with problems as they are case sensitive in IE and Chrome, but not FF. This means any mismatch in path case will stuff things up.

  1. When generating a cookie, if the path you set differs in case from what the user typed, browsers won't store it.

  2. When the user returns, if the path they enter differs in case from the first trip, the browser won't supply the cookie with the request.

What problem are you trying to solve?

Will
I'm not sure why is it needed at all now. Is it like Jorn explained, That using cookie path and asp.net module (or alternative outside asp.net world) you could allow multiple instances of same web app to run on same domain?
Sergej Andrejev
It is possible for your apps to share a pathless single cookie if they need to store state, uniquely identifying the user session via an id. The id is used to look up values in memory or DB, and if the cookie is missing it issues one, or if the application doesn't recognise the id it allocates new entries. This method works quite well, but does consume memory or DB space with old values, so you will need to think about cleaning them out periodically.
Will
A: 

No, it's not safe, for the reasons that Will specified.

But... You may want to employ this technique to fulfill your intent.

Jim G.