hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <o.kalnichev...@dplanet.ch>
Subject Re: HttpMethodBase::ParseResponseHeaders handling of cookies
Date Thu, 13 Feb 2003 21:43:03 GMT
Jandalf, James

The wording of the RFC2109 is unsurprisingly vague, however, in my
opinion HttpClient is correct in rejecting the entire set Set-Cookie
header. 

See the following quote from the RFC2109:
=============================
4.3.2  Rejecting Cookies

...

Examples:

   * A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com
     would be rejected, because H is y.x and contains a dot.

   * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
     be accepted.

   * A Set-Cookie with Domain=.com or Domain=.com., will always be
     rejected, because there is no embedded dot.

   * A Set-Cookie with Domain=ajax.com will be rejected because the
     value for Domain does not begin with a dot.
===========================

I tend to interpret the above stated statements as referring to the
Set-Cookie header, rather than an individual cookie. Please let me know
if you see it differently

Faithfully yours,

Cookie Taliban


On Thu, 2003-02-13 at 21:02, Jeffrey Dever wrote:
> Good argument.  I'd say you are right that cookies should be 
> accepted/rejected based on individual merits and not on the entire 
> cookie header.  A patch (in unidiff format) would be helpful in 
> evaluation what you propose to change.
> 
> Jandalf.
> 
> 
> Couball, James wrote:
> 
> >Hello All,
> >
> >I have a problem with my application of HTTPClient relating to the way that
> >HttpMethodBase::ParseResponseHeaders handles rejecting cookies.
> >
> >My problem is that when one cookie in the set-cookie(2) header is considered
> >invalid (call to parser.validate throws an exception) (because the domain is
> >for a third party, for example) all cookies in the header that haven't been
> >process are dropped.  In my application, I want to reject cookies that don't
> >match the domain and accept cookies that do match the domain.  This problem
> >can not be solved with a new cookie policy because the problem is in how
> >HttpMethodBase::ParseResponseHeaders handles the exception thrown by
> >parser.validate.
> >
> >RFC 2965 seems to suggest that accepting some cookies in the Set-Cookie2
> >header and rejecting others is ok.  See section 3.3.2: "To prevent possible
> >security or privacy violations, a user agent rejects A COOKIE according to
> >rules below." (emphasis is mine)
> >
> >In addition, IE and Netscape do accept all of the valid cookies on a
> >Set-Cookie(2) header.  What is a valid cookie to IE and Netscape depends on
> >how you set the cookie policy within that program and is more complicated
> >that what HttpClient currently supports.
> >
> >If this is a desired change, I have attached my implementation of
> >HttpMethodBase::ParseResponseHeaders to be added to HttpClient.  If
> >requested, I can also provide a patch.
> >
> >Sincerely,
> >James.
> >
> >protected void processResponseHeaders(HttpState state,
> >    HttpConnection conn) {
> >    LOG.trace("enter HttpMethodBase.processResponseHeaders(HttpState, "
> >        + "HttpConnection)");
> >
> >    // add cookies, if any
> >    // should we set cookies?
> >    String cookieHeaderName = "set-cookie2";
> >    Header setCookieHeader = getResponseHeader(cookieHeaderName);
> >    if (null == setCookieHeader) { //ignore old-style if new is supported
> >        cookieHeaderName = "set-cookie";
> >        setCookieHeader = getResponseHeader(cookieHeaderName);
> >    }
> >
> >    if (setCookieHeader != null) {
> >
> >      // Parse cookies -- an error parsing the set-cookie header dumps all
> >      // cookies in this header.
> >
> >      CookieSpec parser =
> >CookiePolicy.getSpecByPolicy(state.getCookiePolicy());
> >      Cookie[] cookies = null;
> >      try {
> >        cookies = parser.parse(
> >            conn.getHost(),
> >            conn.getPort(),
> >            getPath(),
> >            conn.isSecure(),
> >            setCookieHeader);
> >      }
> >      catch (MalformedCookieException e) {
> >        if (LOG.isWarnEnabled()) {
> >          LOG.warn("Could not parse " + cookieHeaderName + " header: \""
> >                   + setCookieHeader.getValue()
> >                   + "\". " + e.getMessage());
> >        }
> >      }
> >
> >      // Validate cookies -- only valid cookies are added.  Invalid cookies
> >      // are logged and ignored.
> >
> >      if (cookies != null) {
> >        for (int i = 0; i < cookies.length; i++) {
> >          Cookie cookie = cookies[i];
> >          boolean accepted = true;
> >          try {
> >            parser.validate(
> >                conn.getHost(),
> >                conn.getPort(),
> >                getPath(),
> >                conn.isSecure(),
> >                cookie);
> >          }
> >          catch (MalformedCookieException e) {
> >            accepted = false;
> >            if (LOG.isWarnEnabled()) {
> >              LOG.warn("Cookie rejected: \""
> >                       + parser.formatCookie(cookie)
> >                       + "\". " + e.getMessage());
> >            }
> >          }
> >          if (accepted) {
> >            if (LOG.isDebugEnabled()) {
> >              LOG.debug("Cookie accepted: \""
> >                        + parser.formatCookie(cookie) + "\"");
> >            }
> >            state.addCookie(cookie);
> >          }
> >        }
> >      }
> >    }
> >}
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >
> >
> >  
> >
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> 


Mime
View raw message