Return-Path: <o.kalnichevski@dplanet.ch>
Mailing-List: contact commons-httpclient-dev-help@jakarta.apache.org;
 run by ezmlm
Delivered-To: mailing list commons-httpclient-dev@jakarta.apache.org
Received: (qmail 28016 invoked by uid 98); 2 Dec 2002 20:16:00 -0000
X-Antivirus: nagoya (v4218 created Aug 14 2002)
Received: (qmail 27995 invoked from network); 2 Dec 2002 20:15:58 -0000
Received: from daedalus.apache.org (HELO apache.org) (63.251.56.142)
  by nagoya.betaversion.org with SMTP; 2 Dec 2002 20:15:58 -0000
Received: (qmail 58028 invoked by uid 500); 2 Dec 2002 20:14:49 -0000
Received: (qmail 58003 invoked from network); 2 Dec 2002 20:14:48 -0000
Received: from duba06h06-0.dplanet.ch (212.35.36.67)
  by daedalus.apache.org with SMTP; 2 Dec 2002 20:14:48 -0000
Received: from [62.167.246.185] ([62.167.246.185])
	by duba06h06-0.dplanet.ch (8.12.6/8.12.6/2.00dplanet-smtp) with ESMTP id
 gB2KEVOk005400
	for <commons-httpclient-dev@jakarta.apache.org>;
 Mon, 2 Dec 2002 21:14:37 +0100
Subject: Re: Bad cookie header: illegal domain attribute
From: Oleg Kalnichevski <o.kalnichevski@dplanet.ch>
To: Commons HttpClient Project <commons-httpclient-dev@jakarta.apache.org>
In-Reply-To: <3DEBA288.5030708@GargoyleSoftware.com>
References: 
	 <CD90738E8C0C08439823F30A6BF9AACE0CD3E7@kccxoex03.corp.kpmgconsulting.com>
	 <3DEBA288.5030708@GargoyleSoftware.com>
Content-Type: text/plain
Organization: 
Message-Id: <1038860062.1404.28.camel@okt22.corp.kpmgconsulting.com>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.2.0-3mdk 
Date: 02 Dec 2002 21:14:23 +0100
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Mike


I do not want to turn into some sort of cookie Taliban or Revolutionary
Guards here and decide for others how they may want to have their cookie
served. I think there should be a way to turn off the validation, even
though it does not quite make sense to me

Anyhow, the cookie class is in need of a better design. I'll try to
restructure the Cookie class more radically. However, there's no
guarantee that the patch will be accepted 

Cheers

Oleg


On Mon, 2002-12-02 at 19:12, Mike Bowler wrote:
>   Hi Oleg,
> 
>  > PS: Stuff sent by IE does not count. I am surprised it has not 
> included your credit card
>  > number into that HTTP request.
> 
> :-)
> 
> This next dump is from mozilla 1.1
> 
>  > Are you absolutely positive that this cookie does originate from
>  > Mozilla and is not added later by some "man in the middle" system?
> 
> The sniffer I'm running (ethereal) is on the same machine as Mozilla and 
> from looking at ip addresses, it would certainly appear that the request 
> really is coming from this machine.  I'm no expert on forging addresses 
> but it looks legitimate to me.
> 
> ===============================
> GET /ecp/index.html HTTP/1.1
> Host: test2.ecp.toyota.ca
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) 
> Gecko/20020826
> Accept: 
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1
> Accept-Language: en-us, en;q=0.50
> Accept-Encoding: gzip, deflate, compress;q=0.9
> Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
> Keep-Alive: 300
> Connection: keep-alive
> 
> HTTP/1.1 401 Authorization Required
> Date: Mon, 02 Dec 2002 17:59:14 GMT
> Server: Apache/1.3.14 (Unix)
> WWW-authenticate: basic realm="ECP [12:59:14:4625]"
> Set-Cookie: SMCHALLENGE=YES; path=/; domain=.toyota.ca
> Keep-Alive: timeout=15, max=100
> Connection: Keep-Alive
> Transfer-Encoding: chunked
> Content-Type: text/html; charset=iso-8859-1
> 
> 1df
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML><HEAD>
> <TITLE>401 Authorization Required</TITLE>
> </HEAD><BODY>
> <H1>Authorization Required</H1>
> This server could not verify that you
> are authorized to access the document
> requested.  Either you supplied the wrong
> credentials (e.g., bad password), or your
> browser doesn't understand how to supply
> the credentials required.<P>
> <HR>
> <ADDRESS>Apache/1.3.14 Server at tcisudev02.tci.toyota.com Port 80</ADDRESS>
> </BODY></HTML>
> 
> 0
> 
> GET /ecp/index.html HTTP/1.1
> Host: test2.ecp.toyota.ca
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) 
> Gecko/20020826
> Accept: 
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1
> Accept-Language: en-us, en;q=0.50
> Accept-Encoding: gzip, deflate, compress;q=0.9
> Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
> Keep-Alive: 300
> Connection: keep-alive
> Authorization: Basic <snipped>
> Cookie: SMCHALLENGE=YES
> ===============================
-- 
Oleg Kalnichevski <o.kalnichevski@dplanet.ch>