fix: add Path to cookie#9364
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Updates the server’s session cookie handling to avoid session collisions when multiple marimo instances are hosted under different sub-paths behind the same domain.
Changes:
- Scope the session cookie name by
base_url(in addition to port) to prevent cross-instance overwrites. - Set the session cookie
Pathto the configuredbase_urlso cookies are constrained to the app’s sub-path. - Add test coverage to validate cookie name/path behavior for base URLs (including nested paths).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
marimo/_server/api/auth.py |
Adjusts CustomSessionMiddleware to incorporate base_url into the cookie name and set cookie Path accordingly. |
tests/_server/api/test_auth.py |
Adds tests asserting the cookie name and path are correctly derived from base_url. |
There was a problem hiding this comment.
1 issue found across 2 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="marimo/_server/api/auth.py">
<violation number="1" location="marimo/_server/api/auth.py:170">
P3: Typo: duplicated word "the the" — should be "the port and base URL".</violation>
</file>
Architecture diagram
sequenceDiagram
participant Client as Web Browser
participant Middleware as CustomSessionMiddleware
participant State as Server State
participant Starlette as Starlette Base Session
Note over Client,Starlette: Request Interception
Client->>Middleware: Incoming HTTP Request
Middleware->>State: Extract port and base_url
rect rgb(240, 240, 240)
Note right of Middleware: Cookie Configuration (Runtime)
opt Port is configured
Middleware->>Middleware: CHANGED: Append port to cookie name
end
alt NEW: base_url is set (e.g., "/marimo1")
Middleware->>Middleware: NEW: Slugify base_url (e.g., "_marimo1")
Middleware->>Middleware: NEW: Append slug to cookie name
Middleware->>Middleware: NEW: Update cookie 'Path' attribute to base_url
else No base_url
Middleware->>Middleware: Use original path (usually "/")
end
end
Middleware->>Starlette: Call parent session handler
Starlette->>Starlette: Process session data
Starlette-->>Client: HTTP Response + Set-Cookie
Note right of Client: Cookie name is now unique per instance<br/>and Path restricted to base_url
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
5d79e64 to
40a46fa
Compare
|
thanks for the fix, this make sense. if you had a proxy between this, you could also intercept and re-write the cookie |
Bundle ReportChanges will increase total bundle size by 25.12MB (100.0%) ⬆️
|
Closes #9363
Scopes the name of the cookie to the path, as well as adds a
Pathattribute to the cookie📋 Pre-Review Checklist
✅ Merge Checklist