hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 25264] - Cookie rejected
Date Tue, 09 Dec 2003 07:17:18 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25264>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25264

Cookie rejected





------- Additional Comments From rolweber@de.ibm.com  2003-12-09 07:17 -------
Please ignore my last comment about the cookie parsing. I mixed up
the cookie domain and the host. The cookie is parsed correctly, the
problem lies with the hostname.

However, I do wonder whether there is some redirect involved. If
sourceforge.net sends a redirect to www.sourceforge.net, the redirect
is chased by HttpClient, and www.sourceforge.net sends a cookie for
domain .sourceforge.net, will that cookie be verified against host
sourceforge.net or against host www.sourceforge.net?

I'm just guessing here. I don't have a sourceforge account to verify
the behaviour. I just find it hard to imagine that browsers actually
accept a cookie outside of the host's domain. Browser makers have
gotten a lot of public beating for security bugs lately, and I'd
consider this to be one.

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message