Set default cookie path to webroot instead of base.

Refs #5404

src/Controller/Component/CookieComponent.php

@@ -43,7 +43,7 @@ class CookieComponent extends Component {
  *   If path is set to '/foo/', the cookie will only be available within the
  *   /foo/ directory and all sub-directories such as /foo/bar/ of domain.
  *   The default value is base path of app. For e.g. if your app is running
- *   under a subfolder "cakeapp" of document root the path would be "/cakeapp"
+ *   under a subfolder "cakeapp" of document root the path would be "/cakeapp/"
  *   else it would be "/".
  * - `domain` - The domain that the cookie is available. To make the cookie
  *   available on all subdomains of example.com set domain to '.example.com'.
@@ -137,7 +137,7 @@ class CookieComponent extends Component {
 		}
 
 		if (empty($this->_config['path'])) {
-			$this->config('path', $this->_request->base ?: '/');
+			$this->config('path', $this->_request->webroot);
 		}
 
 		if ($controller && isset($controller->response)) {

src/Controller/Component/CsrfComponent.php

@@ -122,7 +122,7 @@ class CsrfComponent extends Component {
 			'name' => $this->_config['cookieName'],
 			'value' => $value,
 			'expiry' => $this->_config['expiry'],
-			'path' => $request->base,
+			'path' => $request->webroot,
 			'secure' => $this->_config['secure'],
 		]);
 	}

src/Network/Request.php

@@ -168,7 +168,7 @@ class Request implements \ArrayAccess {
 		list($base, $webroot) = static::_base();
 		$sessionConfig = (array)Configure::read('Session') + [
 			'defaults' => 'php',
-			'cookiePath' => $base
+			'cookiePath' => $webroot
 		];
 
 		$config = array(

tests/TestCase/Controller/Component/CsrfComponentTest.php

@@ -59,7 +59,7 @@ class CsrfComponentTest extends TestCase {
 		$_SERVER['REQUEST_METHOD'] = 'GET';
 
 		$controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
-		$controller->request = new Request(['base' => '/dir']);
+		$controller->request = new Request(['webroot' => '/dir/']);
 		$controller->response = new Response();
 
 		$event = new Event('Controller.startup', $controller);
@@ -69,7 +69,7 @@ class CsrfComponentTest extends TestCase {
 		$this->assertNotEmpty($cookie, 'Should set a token.');
 		$this->assertRegExp('/^[a-f0-9]+$/', $cookie['value'], 'Should look like a hash.');
 		$this->assertEquals(0, $cookie['expiry'], 'session duration.');
-		$this->assertEquals('/dir', $cookie['path'], 'session path.');
+		$this->assertEquals('/dir/', $cookie['path'], 'session path.');
 
 		$this->assertEquals($cookie['value'], $controller->request->params['_csrfToken']);
 	}
@@ -204,7 +204,7 @@ class CsrfComponentTest extends TestCase {
 		$_SERVER['REQUEST_METHOD'] = 'GET';
 
 		$controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
-		$controller->request = new Request(['base' => '/dir']);
+		$controller->request = new Request(['webroot' => '/dir/']);
 		$controller->response = new Response();
 
 		$component = new CsrfComponent($this->registry, [
@@ -221,7 +221,7 @@ class CsrfComponentTest extends TestCase {
 		$this->assertNotEmpty($cookie, 'Should set a token.');
 		$this->assertRegExp('/^[a-f0-9]+$/', $cookie['value'], 'Should look like a hash.');
 		$this->assertEquals(90, $cookie['expiry'], 'session duration.');
-		$this->assertEquals('/dir', $cookie['path'], 'session path.');
+		$this->assertEquals('/dir/', $cookie['path'], 'session path.');
 		$this->assertTrue($cookie['secure'], 'cookie security flag missing');
 	}