hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Dever <jsde...@sympatico.ca>
Subject Re: Special domains as defined by Netscape do not seem to make muchsense (Cookies of all countries, unite!!!)
Date Thu, 28 Nov 2002 18:56:18 GMT
IETF mantra: "be leinient in what you take in, and rigrous in what you 
send out" (or somthing like that)

The Netscape spec *is* crufty, and stupid.  I guess the expectation was 
that all countries would names like *.com.ca over just *.ca, which is 
rarely the case.

We could have an option to turn this on, but I would be satisifed to say 
we are compliant with RFC2109 and not be so stringent.

-jsd



Danny Burkes wrote:

>Hi Oleg-
>
>Here's my 2cents:
>
>It seems clear to me that HttpClient should conform to RFC2109, which
>superceded Netscape's draft.  Section 4.3.2 of RFC2109 clearly lays out the
>rules of cookie rejection, and HttpClient should implement to those rules.
>IMHO, Netscape's draft is just some old cruft, and you shouldn't worry about
>it.  Stick to the RFC.
>
>Best Regards,
>
>Danny
>
>  
>
>>-----Original Message-----
>>From: Oleg Kalnichevski [mailto:o.kalnichevski@dplanet.ch]
>>Sent: Thursday, November 28, 2002 9:46 AM
>>To: Commons HttpClient Project
>>Subject: Special domains as defined by Netscape do not seem to make
>>muchsense (Cookies of all countries, unite!!!)
>>
>>
>>People,
>>Need a wider opining on the following matter:
>>The HttpClient's rigidly follows the letter of the Netscape's draft
>>specification:
>>
>>"...Only hosts within the specified domain can set a cookie for a domain
>>and domains must have at least two (2) or three (3) periods in them to
>>prevent domains of the form: ".com", ".edu", and "va.us". Any domain
>>that fails within one of the seven special top level domains listed
>>below only require two periods. Any other domain requires at least
>>three. The seven special top level domains are: "COM", "EDU", "NET",
>>"ORG", "GOV", "MIL", and "INT"..."
>>
>>As a result the cookie "name=value; path=/; domain=.google.ch"
>>originated from the host www.google.ch would be rejected, whereas
>>"name=value; path=/; domain=.google.com" originated from the host
>>www.google.com would be accepted
>>
>>I agree with Brett that this kind of behavior does not seem to make a
>>lot of sense. Since the RFC2109 does not mention any special domains, I
>>personally would favor removing the special domain check from the cookie
>>validation logic and would treat all domains equally, that is,
>>permitting hosts from non-special domains in the form xxx.domain.xx to
>>set domain-wide cookies (.domain.xx)
>>
>>"Cookies of all countries, unite!!!"
>>
>>On behalf of comrade Carl,
>>
>>Oleg
>>
>>On Tue, 2002-11-26 at 20:02, Brett Knights wrote:
>>    
>>
>>>Sure,
>>>When I try to connect to http://www.google.com I get redirected to
>>>http://www.google.ca
>>>
>>>Connecting to http://www.google.ca generates the error.
>>>
>>>This is using the examples/ClientApp.java from the November 25 source
>>>drop.
>>>
>>>I get the same response using jdk 131 and jdk 140
>>>
>>>I really think the Netscape spec meant to specify behaving the way rfc
>>>2109 now prescribes and that their mention of the 7 special domains
>>>was more by way of a short-sighted example than having any real
>>>reason. Can anyone think of one?
>>>
>>>
>>>-- Original Message --
>>>From: "Kalnichevski, Oleg" <oleg.kalnichevski@bearingpoint.com>
>>>To: "Commons HttpClient Project"
>>><commons-httpclient-dev@jakarta.apache.org>
>>>Sent: Tuesday, November 26, 2002 9:58 AM
>>>Subject: RE: Domain attribute on cookie
>>>
>>>
>>>Brett,
>>>
>>>Could you please let me know the full URL which I could use to
>>>reproduce the problem?
>>>
>>>Oleg
>>>
>>>--Original Message--
>>>From: Brett Knights [mailto:brett@knightsofthenet.com]
>>>Sent: Tuesday, November 26, 2002 6:43 PM
>>>To: Commons HttpClient Project; ajack@TrySybase.com
>>>Subject: Re: Domain attribute on cookie
>>>
>>>
>>>I got a similar message but thrown from Cookie line 944
>>>
>>>the requested domain is .google.ca  and the cookie doesn't contain a
>>>version field.
>>>
>>>The code that throws the error is looking for the number of tokenized
>>>parts to be = 3 when in fact 2 would do.
>>>
>>>I think the RFC 2109 domain matching rules should be used for all
>>>cookies regardless that they are version 0 or 1.
>>>
>>>I think this would be achieved if the code simply made sure the
>>>requested domain begins with a dot, contains at least one other dot
>>>and that when it is removed from the FQDN of the requesting server the
>>>remainder doesn't contain a dot.
>>>
>>>
>>>HTH
>>>
>>>      
>>>
>>>>org.apache.commons.httpclient.HttpException: Bad Set-Cookie header:
>>>>ANON=1506510
>>>>38325328; domain=.sybase.com; path=/; expires=Friday, 31-Dec-2010
>>>>        
>>>>
>>>23:59:59
>>>      
>>>
>>>>GMT I
>>>>llegal domain attribute.sybase.com
>>>>        at
>>>>        
>>>>
>>>org.apache.commons.httpclient.Cookie.parse(Cookie.java:922)
>>>      
>>>
>>>>        at
>>>>
>>>>        
>>>>
>>>org.apache.commons.httpclient.HttpMethodBase.processResponseHeaders(H
>>>      
>>>
>>>>ttpMethodBase.java:1445)
>>>>        at
>>>>
>>>>        
>>>>
>>>org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodB
>>>      
>>>
>>>>ase.java:1530)
>>>>        at
>>>>
>>>>        
>>>>
>>>org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMetho
>>>      
>>>
>>>>dBase.java:2182)
>>>>        at
>>>>
>>>>        
>>>>
>>>org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.j
>>>      
>>>
>>>>ava:820)
>>>>        at
>>>>
>>>>        
>>>>
>>>org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.jav
>>>      
>>>
>>>>a:455)
>>>>
>>>>Reading this specification it seems this domain value is valid.
>>>>
>>>>http://www.w3.org/Protocols/rfc2109/rfc2109 states:
>>>>Domain=domain Optional. The Domain attribute specifies the domain
>>>>        
>>>>
>>>for which
>>>      
>>>
>>>>the cookie is valid. An explicitly specified domain must always
>>>>        
>>>>
>>>start with
>>>      
>>>
>>>>a dot.
>>>>Am I missing something?
>>>>        
>>>>
>>>
>>>--
>>>To unsubscribe, e-mail:
>>><mailto:commons-httpclient-dev-unsubscribe@jakarta.apache.org>
>>>For additional commands, e-mail:
>>><mailto:commons-httpclient-dev-help@jakarta.apache.org>
>>>
>>>
>>>--
>>>To unsubscribe, e-mail:
>>><mailto:commons-httpclient-dev-unsubscribe@jakarta.apache.org>
>>>For additional commands, e-mail:
>>><mailto:commons-httpclient-dev-help@jakarta.apache.org>
>>>
>>>
>>>
>>>
>>>--
>>>To unsubscribe, e-mail:
>>>      
>>>
><mailto:commons-httpclient-dev-unsubscribe@jakarta.apache.org>
>  
>
>>For additional commands, e-mail:
>>    
>>
><mailto:commons-httpclient-dev-help@jakarta.apache.org>
>
>
>
>
>
>--
>
>
>
>Oleg Kalnichevski <o.kalnichevski@dplanet.ch>
>
>
>--
>To unsubscribe, e-mail:
><mailto:commons-httpclient-dev-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail:
><mailto:commons-httpclient-dev-help@jakarta.apache.org>
>
>
>
>--
>To unsubscribe, e-mail:   <mailto:commons-httpclient-dev-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: <mailto:commons-httpclient-dev-help@jakarta.apache.org>
>
>
>  
>


Mime
View raw message