Skip to content

fix: add Path to cookie#9364

Merged
mscolnick merged 1 commit into
marimo-team:mainfrom
aqora-io:jpop/cookie-path
Apr 24, 2026
Merged

fix: add Path to cookie#9364
mscolnick merged 1 commit into
marimo-team:mainfrom
aqora-io:jpop/cookie-path

Conversation

@jpopesculian

Copy link
Copy Markdown
Contributor

Closes #9363

Scopes the name of the cookie to the path, as well as adds a Path attribute to the cookie

📋 Pre-Review Checklist

  • For large changes, or changes that affect the public API: this change was discussed or approved through an issue, on Discord, or the community discussions (Please provide a link if applicable).
  • Any AI generated code has been reviewed line-by-line by the human PR author, who stands by it.
  • Video or media evidence is provided for any visual changes (optional).

✅ Merge Checklist

  • I have read the contributor guidelines.
  • Documentation has been updated where applicable, including docstrings for API changes.
  • Tests have been added for the changes made.
Copilot AI review requested due to automatic review settings April 24, 2026 15:44
@vercel

vercel Bot commented Apr 24, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
marimo-docs Ready Ready Preview, Comment Apr 24, 2026 4:20pm

Request Review

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the server’s session cookie handling to avoid session collisions when multiple marimo instances are hosted under different sub-paths behind the same domain.

Changes:

  • Scope the session cookie name by base_url (in addition to port) to prevent cross-instance overwrites.
  • Set the session cookie Path to the configured base_url so cookies are constrained to the app’s sub-path.
  • Add test coverage to validate cookie name/path behavior for base URLs (including nested paths).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
marimo/_server/api/auth.py Adjusts CustomSessionMiddleware to incorporate base_url into the cookie name and set cookie Path accordingly.
tests/_server/api/test_auth.py Adds tests asserting the cookie name and path are correctly derived from base_url.
Comment thread marimo/_server/api/auth.py Outdated

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="marimo/_server/api/auth.py">

<violation number="1" location="marimo/_server/api/auth.py:170">
P3: Typo: duplicated word "the the" — should be "the port and base URL".</violation>
</file>
Architecture diagram
sequenceDiagram
    participant Client as Web Browser
    participant Middleware as CustomSessionMiddleware
    participant State as Server State
    participant Starlette as Starlette Base Session

    Note over Client,Starlette: Request Interception

    Client->>Middleware: Incoming HTTP Request
    Middleware->>State: Extract port and base_url
    
    rect rgb(240, 240, 240)
    Note right of Middleware: Cookie Configuration (Runtime)
    
    opt Port is configured
        Middleware->>Middleware: CHANGED: Append port to cookie name
    end

    alt NEW: base_url is set (e.g., "/marimo1")
        Middleware->>Middleware: NEW: Slugify base_url (e.g., "_marimo1")
        Middleware->>Middleware: NEW: Append slug to cookie name
        Middleware->>Middleware: NEW: Update cookie 'Path' attribute to base_url
    else No base_url
        Middleware->>Middleware: Use original path (usually "/")
    end
    end

    Middleware->>Starlette: Call parent session handler
    Starlette->>Starlette: Process session data
    Starlette-->>Client: HTTP Response + Set-Cookie
    Note right of Client: Cookie name is now unique per instance<br/>and Path restricted to base_url
Loading

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.

Comment thread marimo/_server/api/auth.py Outdated
@mscolnick

Copy link
Copy Markdown
Contributor

thanks for the fix, this make sense. if you had a proxy between this, you could also intercept and re-write the cookie

@mscolnick mscolnick merged commit 2b0f5e1 into marimo-team:main Apr 24, 2026
39 checks passed
@codecov

codecov Bot commented Apr 24, 2026

Copy link
Copy Markdown

Bundle Report

Changes will increase total bundle size by 25.12MB (100.0%) ⬆️⚠️, exceeding the configured threshold of 5%.

Bundle name Size Change
marimo-esm 25.12MB 25.12MB (100%) ⬆️⚠️
@jpopesculian jpopesculian deleted the jpop/cookie-path branch April 28, 2026 12:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

3 participants