OriginURI cookie script in index.html

3
Our index.html (just as the index.html for a new Mendix project) contains the following bit of Javascript: <script> if (!document.cookie || !document.cookie.match(/(^|;)originURI=/gi)) document.cookie = "originURI=/login.html"; </script> I am trying to understand what this does exactly. Where is this magic /gi value coming from? And where is the originURI cookie being set? What is this supposed to do at all? The reason I am asking this question is twofold. Firstly I want to understand how this works. Secondly, a security scan for our project flagged this script as a potential issue, so I would like to be able to explain what it does and why we need it (if we actually do).
asked
3 answers
5

See Johan's answer for an explanation of the regular expression.

What this script basically does is it sets the 'originURI' cookie to '/login.html' if the cookie is not yet set. This cookie is used by the client to decide whether it should navigate to a custom login page when the user signs out. If the 'originURI' cookie is set, it will navigate to that page. If the cookie is not set it will show the default login form.

This cookie is usually set on the login page itself to make it possible to use multiple login pages. The client then uses this cookie to redirect users to the correct login page when they sign out.

I think the reason this script is inside the default index page is that it is needed to make single sign-on work in the cloud. If you don't use single sign-on you can safely remove this script. You will then use the default login form instead of login.html.

answered
3

The match is a regular expression. The g and i are flags which change the behaviour of the regular expression. The g refers to global, meaning it will match all occurrences. The i means that it's case insensitive.

The cookie is used by single sign-on. The originUri points to the login page, so that we can redirect you automatically.

answered
1

Thanks for your clarification Johan. That makes sense. This still leaves the question why this script is needed at all.

answered