geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sangjin Lee (JIRA)" <>
Subject [jira] Updated: (GERONIMO-3861) cookies need to be validated and filtered
Date Mon, 25 Feb 2008 23:41:51 GMT


Sangjin Lee updated GERONIMO-3861:

    Attachment: GERONIMO-3861.patch

I'm submitting a suggested fix.  Please take a look at it, and let me know if you would like
to discuss some of the elements of the fix...

- Created an interface that encapsulates the cookie validation strategy: CookiePolicy.
- Provided a couple of implementations: DefaultCookiePolicy & NullCookiePolicy.
- When parsing incoming cookies, provide default values for domain & path attributes if
either is missing.
- To do the above, HttpResponseMessage now has a reference to the request URL (I did not add
a reference to the HttpRequestMessage object as I think it's bit more heavyweight than retaining
the request URL).
- CookiePolicy is set on AsyncHttpClient, and is transferred to HttpRequestMessage when messages
are sent.
- The default CookiePolicy is DefaultCookiePolicy.
- Wrote unit tests for cookie validation.

It is working as expected, but I think some details still have room for discussion.  I'd love
to hear your thoughts.


> cookies need to be validated and filtered
> -----------------------------------------
>                 Key: GERONIMO-3861
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: AsyncHttpClient
>    Affects Versions: 1.x
>            Reporter: Sangjin Lee
>            Assignee: Rick McGuire
>            Priority: Minor
>         Attachments: GERONIMO-3861.patch
> Today AHC simply accepts all cookies from the response and emit all cookies in the request.
 However, the attributes need to be taken into consideration when we set the cookies as well
as when we send them.  Two parts of the issue:
> [1] When we emit the cookies in the request, we need to check 
> - if the domain matches
> - if the path matches
> - if the cookie has not expired
> - and if the cookie is secure (if the request protocol is http)
> before adding it to the Cookie header.
> [2] When we accept the cookies in the response, we need to check for the domain and the
path.  Note that we do not discard expired cookies, as that's often a way to delete an existing

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message