commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vincent Massol" <vmas...@octo.com>
Subject RE: [HttpClient] Still problems with null domains and paths
Date Sun, 24 Mar 2002 16:48:41 GMT
Marc,

> -----Original Message-----
> From: Marc Saegesser [mailto:Marc.Saegesser@apropos.com]
> Sent: 22 March 2002 15:19
> To: Jakarta Commons Developers List
> Subject: RE: [HttpClient] Still problems with null domains and paths
> 
> Vincent,
> 
> I've written quite a bit on this topic over the last few weeks, so you
> might
> find some of the stuff in list archives useful.  I'll try to summarize
> things again here.
> 

oops. Sorry Marc, I should have read all the posts. I guess my mailbox
was a bit overflowed with Commons messages and I must have skipped them
too quick ... Thank you for your patience :-)

> All cookies have a domain and path associated with them.  The path can
be
> specified explicitly using attributes on the set-cookie header or they
be
> set to default values as defined by RFC 2109.  The domain and path are
> important because they determine what cookies are allowed to be sent
with
> later requests (in a coookie header).  There are very explicit rules
in
> RFC
> 2109 about what cookies are allowed be sent a server based on the
> request's
> domain and URL.
> 
> The notion that cookies don't have to have domains and paths comes
from, I
> believe, an incomplete reading of the specification.  RFC 2109 does
say
> that
> the domain and path attributes are optional on the set-coookie header,
but
> it follows up by saying that if those attributes are not in the header
> that
> the domain and path are set to known default values (the request host
and
> the request path up to but not including the right-most slash).  It is
> also
> important to keep track of whether the domain and path attributes were
> specified explicitly on the set-cookie header or have default values
> because
> that effects what data is included in the cookie header (see section
4.3.4
> in the paragraph following the syntax description).
> 
> The createCookieHeader() method generates a cookie header from a list
of
> cookies.  The cookies are selected according to the rules given in RFC
> 2109/4.3.4 (see 'Domain selection', 'Path selection' and 'Max-age
> selection').  There is no way to select cookies for a cookie header
> without
> having a domain and path.  Thus, createCookieHeader() now throws an
> IllegalArgumentException if either domain or path is null.  If there
are
> cookies in the list passed to createCookieHeader() that don't have
domain
> or
> path (i.e. getDomain() or getPath() return null) then they are
excluded
> from
> the selection process and won't appear in the generated cookie header.
> This
> is all based on the domain-match algorithm given in section 2 of RFC
2109.
> 
> All this is done to prevent cookies from 'escaping' or 'leaking' out
to
> sites where they don't belong (see section 7.2).
> 

ah ok. I now understand. I'll add a default domain and path for users
who don't specify them. Will try it now.

Thanks
-Vincent

> Marc "Cookie" Saegesser
> 
> > -----Original Message-----
> > From: Vincent Massol [mailto:vmassol@octo.com]
> > Sent: Thursday, March 21, 2002 5:13 PM
> > To: commons-dev@jakarta.apache.org
> > Subject: [HttpClient] Still problems with null domains and paths
> >
> >
> > Hi,
> >
> > The Cactus build is breaking again. The error is that Cactus
> > allows the
> > user to create cookies with no domain and/or no path. This seems to
be
> > allowed by the spec (RFC 2109) :
> >
> > "
> >    set-cookie      =       "Set-Cookie:" cookies
> >    cookies         =       1#cookie
> >    cookie          =       NAME "=" VALUE *(";" cookie-av)
> >    NAME            =       attr
> >    VALUE           =       value
> >    cookie-av       =       "Comment" "=" value
> >                    |       "Domain" "=" value
> >                    |       "Max-Age" "=" value
> >                    |       "Path" "=" value
> >                    |       "Secure"
> >                    |       "Version" "=" 1*DIGIT
> >
> > [...]Each cookie begins with a NAME=VALUE pair, followed by
> > zero or more
> > semi-colon-separated attribute-value pairs. The syntax for
> > attribute-value pairs was shown earlier. The specific
> > attributes and the
> > semantics of their values follows. The NAME=VALUE attribute-
> > value pair
> > must come first in each cookie. The others, if present, can
> > occur in any
> > order [...]
> > "
> >
> > However the method Cookie.createCookieHeader(...) does not allow for
> > null domains and paths.
> >
> > Thus, when I call in cactus :
> >
> > Header cookieHeader =
> >     org.apache.commons.httpclient.Cookie.createCookieHeader(
> >     HttpClientHelper.getDomain(theRequest, theConnection),
> >     HttpClientHelper.getPath(theRequest, theConnection),
> >     httpclientCookies);
> >
> > where httpclientCookies is an array of cookies with no path
> > nor domain,
> > the Cookie.match() code in createCookieHeader() fails and thus
> > createCookieHeader returns null, which is not correct according to
the
> > spec above.
> >
> > Am I missing something ? :-)
> >
> > Thanks
> > -Vincent
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:commons-dev-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:commons-dev-help@jakarta.apache.org>
> >
> 
> --
> To unsubscribe, e-mail:   <mailto:commons-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:commons-dev-
> help@jakarta.apache.org>
> 




--
To unsubscribe, e-mail:   <mailto:commons-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:commons-dev-help@jakarta.apache.org>


Mime
View raw message