hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <o.kalnichev...@dplanet.ch>
Subject Re: HttpMethodBase::ParseResponseHeaders handling of cookies
Date Thu, 13 Feb 2003 23:46:38 GMT
You know, I always end up agreeing with you. ;-)

Blessed be all compliant cookies under the moon
Time to go back to my cave. 

Omar

On Fri, 2003-02-14 at 00:07, Jeffrey Dever wrote:
> Well Omar Kalnichevski, they don't say if a Set-Cookie header should be 
> rejected, or if a Set-Cookie value should be rejected on those rejection 
> criteria.  A broken cookie does not effect the integretity of the other 
> cookies and so we should be accepting in what we take in.
> 
> "One broken cookie in the cookie jar does not make the cookie jar broken"
> Cookie Monster, Seseme Street.
> http://pbskids.org/sesame/letter/
> 
> 
> 
> Oleg Kalnichevski wrote:
> 
> >Jandalf, James
> >
> >The wording of the RFC2109 is unsurprisingly vague, however, in my
> >opinion HttpClient is correct in rejecting the entire set Set-Cookie
> >header. 
> >
> >See the following quote from the RFC2109:
> >=============================
> >4.3.2  Rejecting Cookies
> >
> >...
> >
> >Examples:
> >
> >   * A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com
> >     would be rejected, because H is y.x and contains a dot.
> >
> >   * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
> >     be accepted.
> >
> >   * A Set-Cookie with Domain=.com or Domain=.com., will always be
> >     rejected, because there is no embedded dot.
> >
> >   * A Set-Cookie with Domain=ajax.com will be rejected because the
> >     value for Domain does not begin with a dot.
> >===========================
> >
> >I tend to interpret the above stated statements as referring to the
> >Set-Cookie header, rather than an individual cookie. Please let me know
> >if you see it differently
> >
> >Faithfully yours,
> >
> >Cookie Taliban
> >
> >
> >On Thu, 2003-02-13 at 21:02, Jeffrey Dever wrote:
> >  
> >
> >>Good argument.  I'd say you are right that cookies should be 
> >>accepted/rejected based on individual merits and not on the entire 
> >>cookie header.  A patch (in unidiff format) would be helpful in 
> >>evaluation what you propose to change.
> >>
> >>Jandalf.
> >>
> >>
> >>Couball, James wrote:
> >>
> >>    
> >>
> >>>Hello All,
> >>>
> >>>I have a problem with my application of HTTPClient relating to the way that
> >>>HttpMethodBase::ParseResponseHeaders handles rejecting cookies.
> >>>
> >>>My problem is that when one cookie in the set-cookie(2) header is considered
> >>>invalid (call to parser.validate throws an exception) (because the domain
is
> >>>for a third party, for example) all cookies in the header that haven't been
> >>>process are dropped.  In my application, I want to reject cookies that don't
> >>>match the domain and accept cookies that do match the domain.  This problem
> >>>can not be solved with a new cookie policy because the problem is in how
> >>>HttpMethodBase::ParseResponseHeaders handles the exception thrown by
> >>>parser.validate.
> >>>
> >>>RFC 2965 seems to suggest that accepting some cookies in the Set-Cookie2
> >>>header and rejecting others is ok.  See section 3.3.2: "To prevent possible
> >>>security or privacy violations, a user agent rejects A COOKIE according to
> >>>rules below." (emphasis is mine)
> >>>
> >>>In addition, IE and Netscape do accept all of the valid cookies on a
> >>>Set-Cookie(2) header.  What is a valid cookie to IE and Netscape depends
on
> >>>how you set the cookie policy within that program and is more complicated
> >>>that what HttpClient currently supports.
> >>>
> >>>If this is a desired change, I have attached my implementation of
> >>>HttpMethodBase::ParseResponseHeaders to be added to HttpClient.  If
> >>>requested, I can also provide a patch.
> >>>
> >>>Sincerely,
> >>>James.
> >>>
> >>>protected void processResponseHeaders(HttpState state,
> >>>   HttpConnection conn) {
> >>>   LOG.trace("enter HttpMethodBase.processResponseHeaders(HttpState, "
> >>>       + "HttpConnection)");
> >>>
> >>>   // add cookies, if any
> >>>   // should we set cookies?
> >>>   String cookieHeaderName = "set-cookie2";
> >>>   Header setCookieHeader = getResponseHeader(cookieHeaderName);
> >>>   if (null == setCookieHeader) { //ignore old-style if new is supported
> >>>       cookieHeaderName = "set-cookie";
> >>>       setCookieHeader = getResponseHeader(cookieHeaderName);
> >>>   }
> >>>
> >>>   if (setCookieHeader != null) {
> >>>
> >>>     // Parse cookies -- an error parsing the set-cookie header dumps all
> >>>     // cookies in this header.
> >>>
> >>>     CookieSpec parser =
> >>>CookiePolicy.getSpecByPolicy(state.getCookiePolicy());
> >>>     Cookie[] cookies = null;
> >>>     try {
> >>>       cookies = parser.parse(
> >>>           conn.getHost(),
> >>>           conn.getPort(),
> >>>           getPath(),
> >>>           conn.isSecure(),
> >>>           setCookieHeader);
> >>>     }
> >>>     catch (MalformedCookieException e) {
> >>>       if (LOG.isWarnEnabled()) {
> >>>         LOG.warn("Could not parse " + cookieHeaderName + " header: \""
> >>>                  + setCookieHeader.getValue()
> >>>                  + "\". " + e.getMessage());
> >>>       }
> >>>     }
> >>>
> >>>     // Validate cookies -- only valid cookies are added.  Invalid cookies
> >>>     // are logged and ignored.
> >>>
> >>>     if (cookies != null) {
> >>>       for (int i = 0; i < cookies.length; i++) {
> >>>         Cookie cookie = cookies[i];
> >>>         boolean accepted = true;
> >>>         try {
> >>>           parser.validate(
> >>>               conn.getHost(),
> >>>               conn.getPort(),
> >>>               getPath(),
> >>>               conn.isSecure(),
> >>>               cookie);
> >>>         }
> >>>         catch (MalformedCookieException e) {
> >>>           accepted = false;
> >>>           if (LOG.isWarnEnabled()) {
> >>>             LOG.warn("Cookie rejected: \""
> >>>                      + parser.formatCookie(cookie)
> >>>                      + "\". " + e.getMessage());
> >>>           }
> >>>         }
> >>>         if (accepted) {
> >>>           if (LOG.isDebugEnabled()) {
> >>>             LOG.debug("Cookie accepted: \""
> >>>                       + parser.formatCookie(cookie) + "\"");
> >>>           }
> >>>           state.addCookie(cookie);
> >>>         }
> >>>       }
> >>>     }
> >>>   }
> >>>}
> >>>
> >>>
> >>>---------------------------------------------------------------------
> >>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >>>
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >>
> >>    
> >>
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >
> >
> >  
> >
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> 


Mime
View raw message