Cookies... are they session cookies or broader in scope??

[ardy564]

I'm using cookies to share data between forms and model "windows" in order to reduce database calls. But it seems that even when I remove the cookie or set expiration time limits the data is still available between users on different machines.

I'm using Pode.Web and MS SQL Server.

[Badgerati]

Hi @ardy564,

They're session scoped. Have you an example of how your creating, expiring/removing the cookies?

How do you mean the data is available between users on different machines? That doesn't sound like cookies 🤔

[ardy564]

After further testing we determined that it wasn't the cookies. We narrowed it down to a variable passed in an argument list.
Still perplex as to why it was happening... Going to attempt to explain here:

On a page there are two dynamically built forms. Form A (Disable Acccount) and Form B (Enable Account). I was passing data via an argument list to the forms. This data is then written to a log file to provide documentation as to what happened to the account.

New-PodeWebForm -name 'myformA' -ArgumentList $AccountOwner -ScriptBlock {
param($thisAccountOwner)
Write-LogMessage "Account owned by $thisAccountOwner disabled for a reason" -CookieValue $thisGuid
}

New-PodeWebForm -name 'myformB' -ArgumentList $AccountOwner -ScriptBlock {
param($thisAccountOwner)
Write-LogMessage "Account owned by $thisAccountOwner enabled" -CookieValue $thisGuid
}

I Submit myFormA then I Submit myFormB for another user. The $thisAccountOwner of form B had the value from form A but had the correct cookie value.

This appeared to happen between user on different machines as well.

Our conclusion was that the data was being retained in some global address space because when we "destroyed" the variable with Clear-Variable the issue disappeared.

We run pode as service with Powershell 7.2.3 Core

Any tweaks or a better explanation would be most welcomed.

[Badgerati]

This makes sense now, and is expected due to how elements are created, I need to document properly as it's missing. Somebody over on Discord in the Pode.Web channel actually just asked a very similar question a few days back!

The reason is that when you create an element, with the same ID (or Name if ID isn't supplied), it's created once, plus the route that backs it. Because of this, the -ArgumentList used is from the first time the element was created. Anything after that is ignored - otherwise the route that backs the element would be recreated, and would affect other people viewing the page - not just the one person refreshing or submitting.

The reason for this is because if an element was created anew each time, a new route would be created every single time as well. After a few pages loads, that's a lot of routes! To get around this, Pode.Web will skip recreating the same element again, if it already exists - by checking if it's route already exists. I've been trying to think of a more elegant way to do this, so use cases like yours above work.

Where is it that $AccountOwner is sourced from? If it's in $WebEvent, then the Form's scriptblock has access to this, and should be able to retrieve it from there.