The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

When the application residing at 

/apps/secure/foo-app/index.jsp

sets a

requests to the path 

/apps/secure/foo-app/

, and also to any subdirectories. It

will not submit the cookie to the parent directory or to any other directory

paths that exist on the server.

As with domain-based restrictions on cookie scope, a server can override

this default behavior by including a 

path

attribute in the 

instruc-

Set-cookie: sessionId=187ab023e09c00a881a; path=/apps/;

the browser will then resubmit this cookie to all subdirectories of the 

/apps/