hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <o.kalnichev...@dplanet.ch>
Subject Re: HttpMethodBase::ParseResponseHeaders handling of cookies
Date Thu, 13 Feb 2003 19:59:45 GMT
Hi James,
I am known as Cookie Taliban here for imposing strict, at times literal,
interpretation of cookie related RFCs ;-)

First off all, RFC 2965 has not been implemented yet, even though
HttpClient offers limited support for set-cookie2 headers. 

Currently HttpClient per default uses RFC2109 compliant cookie
management. I just wonder if you have tried using the cookie
compatibility policy that Httpclient provides in addition to RFC2109
compliant and Netscape Draft compliant cookie specs? I does go lightly
on all sorts of non-compliant cookies 

client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY);

It the compatibility policy does not yield desirable results, I'd
suggest writing a custom cookie spec class, rather than tweaking
HttpMethodBase class. 

I'll look into RFC 2109 regarding the correct way invalid cookies should
be rejected 

Cheers

Oleg






On Thu, 2003-02-13 at 20:30, Couball, James wrote:
> Hello All,
> 
> I have a problem with my application of HTTPClient relating to the way that
> HttpMethodBase::ParseResponseHeaders handles rejecting cookies.
> 
> My problem is that when one cookie in the set-cookie(2) header is considered
> invalid (call to parser.validate throws an exception) (because the domain is
> for a third party, for example) all cookies in the header that haven't been
> process are dropped.  In my application, I want to reject cookies that don't
> match the domain and accept cookies that do match the domain.  This problem
> can not be solved with a new cookie policy because the problem is in how
> HttpMethodBase::ParseResponseHeaders handles the exception thrown by
> parser.validate.
> 
> RFC 2965 seems to suggest that accepting some cookies in the Set-Cookie2
> header and rejecting others is ok.  See section 3.3.2: "To prevent possible
> security or privacy violations, a user agent rejects A COOKIE according to
> rules below." (emphasis is mine)
> 
> In addition, IE and Netscape do accept all of the valid cookies on a
> Set-Cookie(2) header.  What is a valid cookie to IE and Netscape depends on
> how you set the cookie policy within that program and is more complicated
> that what HttpClient currently supports.
> 
> If this is a desired change, I have attached my implementation of
> HttpMethodBase::ParseResponseHeaders to be added to HttpClient.  If
> requested, I can also provide a patch.
> 
> Sincerely,
> James.
> 
> protected void processResponseHeaders(HttpState state,
>     HttpConnection conn) {
>     LOG.trace("enter HttpMethodBase.processResponseHeaders(HttpState, "
>         + "HttpConnection)");
> 
>     // add cookies, if any
>     // should we set cookies?
>     String cookieHeaderName = "set-cookie2";
>     Header setCookieHeader = getResponseHeader(cookieHeaderName);
>     if (null == setCookieHeader) { //ignore old-style if new is supported
>         cookieHeaderName = "set-cookie";
>         setCookieHeader = getResponseHeader(cookieHeaderName);
>     }
> 
>     if (setCookieHeader != null) {
> 
>       // Parse cookies -- an error parsing the set-cookie header dumps all
>       // cookies in this header.
> 
>       CookieSpec parser =
> CookiePolicy.getSpecByPolicy(state.getCookiePolicy());
>       Cookie[] cookies = null;
>       try {
>         cookies = parser.parse(
>             conn.getHost(),
>             conn.getPort(),
>             getPath(),
>             conn.isSecure(),
>             setCookieHeader);
>       }
>       catch (MalformedCookieException e) {
>         if (LOG.isWarnEnabled()) {
>           LOG.warn("Could not parse " + cookieHeaderName + " header: \""
>                    + setCookieHeader.getValue()
>                    + "\". " + e.getMessage());
>         }
>       }
> 
>       // Validate cookies -- only valid cookies are added.  Invalid cookies
>       // are logged and ignored.
> 
>       if (cookies != null) {
>         for (int i = 0; i < cookies.length; i++) {
>           Cookie cookie = cookies[i];
>           boolean accepted = true;
>           try {
>             parser.validate(
>                 conn.getHost(),
>                 conn.getPort(),
>                 getPath(),
>                 conn.isSecure(),
>                 cookie);
>           }
>           catch (MalformedCookieException e) {
>             accepted = false;
>             if (LOG.isWarnEnabled()) {
>               LOG.warn("Cookie rejected: \""
>                        + parser.formatCookie(cookie)
>                        + "\". " + e.getMessage());
>             }
>           }
>           if (accepted) {
>             if (LOG.isDebugEnabled()) {
>               LOG.debug("Cookie accepted: \""
>                         + parser.formatCookie(cookie) + "\"");
>             }
>             state.addCookie(cookie);
>           }
>         }
>       }
>     }
> }
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> 


Mime
View raw message