hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kalnichevski, Oleg" <oleg.kalnichev...@bearingpoint.com>
Subject RE: Bad cookie header: illegal domain attribute
Date Mon, 02 Dec 2002 17:54:39 GMT
Mike,

There are several things that seem fishy to me. 

The http server response contains the following header
Set-Cookie: SMCHALLENGE=YES; path=/; domain=.toyota.ca

This cookie should be rejected when originated from the host test.ecp.toyota.ca as violating
the spec.

However according to the tcp dump the browser sends back the following cookie
Cookie: SMCHALLENGE=YES

The problem is that the cookie sent back to the http server also violates the cookie spec.
It should have included domain and path attributes as stated in the RFC2109. The cookie should
have been at least something similar to that below
Cookie: SMCHALLENGE=YES; $DOMAIN=".toyota.ca"; $PATH="/"

I do not know what is going on here. Mozilla is renowned for its standards compliance. At
the very least one would expect it to send back a properly formatted cookie. Are you absolutely
positive that this cookie does originate from Mozilla and is not added later by some "man
in the middle" system? 

Oleg

PS: Stuff sent by IE does not count. I am surprised it has not included your credit card number
into that HTTP request.


-----Original Message-----
From: Mike Bowler [mailto:mbowler@GargoyleSoftware.com]
Sent: Monday, December 02, 2002 5:44 PM
To: Commons HttpClient Project
Subject: Re: Bad cookie header: illegal domain attribute


> your cookie won't work.
>
> your server is test.ecp.toyota.ca
> The most general server string you can set is .ecp.toyota.ca


The following is a tcp dump of Internet Explorer talking to this server. 
 You'll see that it sends down a cookie in the domain .toyota.ca and the 
browser accepts the cookie and sends it back up on the next request to 
test2.ecp.toyota.ca.  Mozilla does the same thing.  The stack trace that 
I'm getting is after the dump.  

I don't know what is correct according to the spec but I do know that 
this behaviour is allowed by IE and Mozilla.

============================

GET /ecp/index.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/vnd.ms-excel, application/msword, 
application/vnd.ms-powerpoint, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; H010818; 
.NET CLR 1.0.3705)
Host: test2.ecp.toyota.ca
Connection: Keep-Alive

HTTP/1.1 401 Authorization Required
Date: Mon, 02 Dec 2002 16:28:12 GMT
Server: Apache/1.3.14 (Unix)
WWW-authenticate: basic realm="ECP [11:28:12:1075]"
Set-Cookie: SMCHALLENGE=YES; path=/; domain=.toyota.ca
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

1df
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>401 Authorization Required</TITLE>
</HEAD><BODY>
<H1>Authorization Required</H1>
This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.<P>
<HR>
<ADDRESS>Apache/1.3.14 Server at tcisudev02.tci.toyota.com Port 80</ADDRESS>
</BODY></HTML>

0

GET /ecp/index.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/vnd.ms-excel, application/msword, 
application/vnd.ms-powerpoint, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; H010818; 
.NET CLR 1.0.3705)
Host: test2.ecp.toyota.ca
Connection: Keep-Alive
Cookie: SMCHALLENGE=YES
Authorization: Basic <snipped>

============================
     [java] INFO: Cookie rejected: "SMCHALLENGE=YES; path=/; 
domain=.toyota.ca". Bad cookie header: illegal domain attribute ".toyota.ca"
     [java] Dec 2, 2002 11:28:45 AM 
org.apache.commons.httpclient.HttpMethodBase processResponseHeaders
     [java] SEVERE: Exception processing response headers
     [java] org.apache.commons.httpclient.HttpException: Bad cookie 
header: illegal domain attribute ".toyota.ca"
     [java]     at 
org.apache.commons.httpclient.Cookie.validateDomainAttribVer1(Cookie.java:1057)
     [java]     at 
org.apache.commons.httpclient.Cookie.validate(Cookie.java:996)
     [java]     at 
org.apache.commons.httpclient.Cookie.parse(Cookie.java:940)
     [java]     at 
org.apache.commons.httpclient.HttpMethodBase.processResponseHeaders(HttpMethodBase.java:1445)
     [java]     at 
org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1530)
     [java]     at 
org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMethodBase.java:2182)
     [java]     at 
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:820)
     [java]     at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:455)
     [java]     at 
com.gargoylesoftware.htmlunit.WebConnection.getResponse(WebConnection.java:95)
     [java]     at 
com.gargoylesoftware.htmlunit.WebClient.loadWebResponse(WebClient.java:898)
     [java]     at 
CheckServerTask.runOnWorkerThread(CheckServerTask.java:33)
     [java]     at 
com.gargoylesoftware.base.gui.AbstractUIController$TaskRunnable.run(AbstractUIController.java:50)
     [java]     at java.lang.Thread.run(Thread.java:536)

-- 
Mike Bowler
Principal, Gargoyle Software Inc.
Voice: (416) 822-0973 | Email  : mbowler@GargoyleSoftware.com
Fax  : (416) 822-0975 | Website: http://www.GargoyleSoftware.com




--
To unsubscribe, e-mail:   <mailto:commons-httpclient-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:commons-httpclient-dev-help@jakarta.apache.org>


Mime
View raw message