commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dIon Gillard <>
Subject Re: [httpclient] Constructing Cookies with null domains (again)
Date Thu, 07 Mar 2002 04:05:08 GMT
Marc Saegesser wrote:

>Well, I don't see your cookie dump, but what your going to see on the server
>side (since you're running in a servlet) is different than what the client
>is going to see (which is what HttpClient is).
>Let me see if I can beat this to death one more time.  HttpClient can get
>cookies in two ways:  1) from a set-cookie header in an HTTP response or 2)
>by an application programmer creating Cookie objects and adding them to the
This bypasses the creation of the header, which somehow is also in the 
cookie class.

>In case 1 the Cookie's domain will *never* be null.  HttpClient does the
>right thing (in my opinion) by calling Cookie.parse() with the domain set to
>the hostname of the server that sent us the set-cookie header.  If the
>set-cookie header contains an explicit domain attribute then it updates the
>Cookie's domain, otherwise it remains the sending hostname.
>In case 2, someome might call a Cookie constructor with a null domain value.
>My opinion is that this should be illegal, and should throw an
>IllegalArgumentException.  Such a cookie would be useless because we can
>never send it to any server.  A cookie's domain must match the domain of the
>host that the request is going to, so without a domain the cookie should
>never be sent.
No, we could never send *it* to any server, but we can construct the 
header from 'null-domained' cookies, using a valid domain name, and the 
process would work as advertised.

It seems you're missing the 'create header' and use of the cookie class. 
Or am I missing something?

>Now, if someone convinces me that we should allow Cookies to be created with
>null domains, then I'll need to make sure that the HttpClient doesn't croak
>on them and that we never try to send them to anyone.  It just seems easier
>and safer to simply prevent such an abomination from ever being created in
>the first place.
That's what we did about a month ago - fix Cookie so it could handle 
null domains and paths *as properties*. The only piece that was left as 
an unknown issue was creating a header and parsing cookies from it.

We do have a 'user' of HttpClient that is using nulls in the cookies 
domain/path - Cactus.

dIon Gillard, Multitask Consulting

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message