hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From o.kalnichev...@dplanet.ch
Subject Re:HttpMethodBase::ParseResponseHeaders handling of cookies
Date Sun, 16 Feb 2003 19:24:23 GMT
James,
Your patch with some minor tweaks has been applied. I'd like to thank you one more time for
having reported the problem and contributing the patch. Please do not hesitate to let me know
if you see any other problems related to cookie management in HttpClient

Kind regards

Oleg

>Hello All,
>
>I have a problem with my application of HTTPClient relating to the way that
>HttpMethodBase::ParseResponseHeaders handles rejecting cookies.
>
>My problem is that when one cookie in the set-cookie(2) header is considered
>invalid (call to parser.validate throws an exception) (because the domain is
>for a third party, for example) all cookies in the header that haven't been
>process are dropped.  In my application, I want to reject cookies that don't
>match the domain and accept cookies that do match the domain.  This problem
>can not be solved with a new cookie policy because the problem is in how
>HttpMethodBase::ParseResponseHeaders handles the exception thrown by
>parser.validate.
>
>RFC 2965 seems to suggest that accepting some cookies in the Set-Cookie2
>header and rejecting others is ok.  See section 3.3.2: "To prevent possible
>security or privacy violations, a user agent rejects A COOKIE according to
>rules below." (emphasis is mine)
>
>In addition, IE and Netscape do accept all of the valid cookies on a
>Set-Cookie(2) header.  What is a valid cookie to IE and Netscape depends on
>how you set the cookie policy within that program and is more complicated
>that what HttpClient currently supports.
>
>If this is a desired change, I have attached my implementation of
>HttpMethodBase::ParseResponseHeaders to be added to HttpClient.  If
>requested, I can also provide a patch.
>
>Sincerely,
>James.
>
>protected void processResponseHeaders(HttpState state,
>    HttpConnection conn) {
>    LOG.trace("enter HttpMethodBase.processResponseHeaders(HttpState, "
>        + "HttpConnection)");
>
>    // add cookies, if any
>    // should we set cookies?
>    String cookieHeaderName = "set-cookie2";
>    Header setCookieHeader = getResponseHeader(cookieHeaderName);
>    if (null == setCookieHeader) { //ignore old-style if new is supported
>        cookieHeaderName = "set-cookie";
>        setCookieHeader = getResponseHeader(cookieHeaderName);
>    }
>
>    if (setCookieHeader != null) {
>
>      // Parse cookies -- an error parsing the set-cookie header dumps all
>      // cookies in this header.
>
>      CookieSpec parser =
>CookiePolicy.getSpecByPolicy(state.getCookiePolicy());
>      Cookie[] cookies = null;
>      try {
>        cookies = parser.parse(
>            conn.getHost(),
>            conn.getPort(),
>            getPath(),
>            conn.isSecure(),
>            setCookieHeader);
>      }
>      catch (MalformedCookieException e) {
>        if (LOG.isWarnEnabled()) {
>          LOG.warn("Could not parse " + cookieHeaderName + " header: \""
>                   + setCookieHeader.getValue()
>                   + "\". " + e.getMessage());
>        }
>      }
>
>      // Validate cookies -- only valid cookies are added.  Invalid cookies
>      // are logged and ignored.
>
>      if (cookies != null) {
>        for (int i = 0; i < cookies.length; i++) {
>          Cookie cookie = cookies[i];
>          boolean accepted = true;
>          try {
>            parser.validate(
>                conn.getHost(),
>                conn.getPort(),
>                getPath(),
>                conn.isSecure(),
>                cookie);
>          }
>          catch (MalformedCookieException e) {
>            accepted = false;
>            if (LOG.isWarnEnabled()) {
>              LOG.warn("Cookie rejected: \""
>                       + parser.formatCookie(cookie)
>                       + "\". " + e.getMessage());
>            }
>          }
>          if (accepted) {
>            if (LOG.isDebugEnabled()) {
>              LOG.debug("Cookie accepted: \""
>                        + parser.formatCookie(cookie) + "\"");
>            }
>            state.addCookie(cookie);
>          }
>        }
>      }
>    }
>}
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
>

Mime
View raw message