Transverse Issue Canvas/ARC/Pulse - Cookies Clash between ODE products?
Hi,
I am reaching out after a high-level analysis on a login issue (potentially TM1 related). I'm grateful that @hwithington had a look and he noticed an issue with the urls and triggered the following analysis about the URL used by the client for ARC/Canvas/Pulse.
As I mentioned, a different port number doesn’t differentiate an application’s cookie scope. This means all three DEV applications and all 4 PROD applications are potentially sharing cookie “space”.
To check the cookies from the browser, open Arc, Pulse or Canvas, click the padlock icon in the address bar (left of the URL), select “Cookies” and expand the URL, expand “Cookies”.
For example:
Cookies for Pulse on my local:
Cookies for Arc on my local (note the domain is different):
As you can see, session cookies for TM1 login have the same name for Arc and Pulse (and I suspect for Canvas too).
The Domain and Path define the scope for the cookies. When two or more web applications use the same scope, their cookies will overwrite each other.
If you find this is the case, you might need to set up the environments with different host names.
So, for example, the PROD environment might be:
• Arc Prod: https://arc.ipo.local:7070/#/ • Canvas Prod: https://canvas.ipo.local:8443/XXXXXXX/ • Apliqo Prod: https://ux.ipo.local:8880/apliqo • Pulse Prod: https://pulse.ipo.local:8099/#/
They can all still resolve to the same machine IP, as long as they define different cookie scopes in the browser.
Hope this helps!
My questions about this are:
- Can this create login issue in the Code products (seen in ARC and Canvas)? --> client have instant message saying "Logins credential are invalid".
- Is it the recommended setup (having a dedicated URL per product)? --> I know a lot of client who are setup with http://: