Return-Path: 
 <commons-httpclient-dev-return-6482-apmail-jakarta-commons-httpclient-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-commons-httpclient-dev-archive@www.apache.org
Received: (qmail 22048 invoked from network); 9 Dec 2003 07:17:19 -0000
Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 9 Dec 2003 07:17:19 -0000
Received: (qmail 87095 invoked by uid 500); 9 Dec 2003 07:16:56 -0000
Delivered-To: apmail-jakarta-commons-httpclient-dev-archive@jakarta.apache.org
Received: (qmail 86964 invoked by uid 500); 9 Dec 2003 07:16:55 -0000
Mailing-List: contact commons-httpclient-dev-help@jakarta.apache.org;
 run by ezmlm
Precedence: bulk
List-Unsubscribe: 
 <mailto:commons-httpclient-dev-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:commons-httpclient-dev-subscribe@jakarta.apache.org>
List-Help: <mailto:commons-httpclient-dev-help@jakarta.apache.org>
List-Post: <mailto:commons-httpclient-dev@jakarta.apache.org>
List-Id: "Commons HttpClient Project"
 <commons-httpclient-dev.jakarta.apache.org>
Reply-To: "Commons HttpClient Project"
 <commons-httpclient-dev@jakarta.apache.org>
Delivered-To: mailing list commons-httpclient-dev@jakarta.apache.org
Received: (qmail 86732 invoked from network); 9 Dec 2003 07:16:54 -0000
Received: from unknown (HELO exchange.sun.com) (192.18.33.10)
  by daedalus.apache.org with SMTP; 9 Dec 2003 07:16:54 -0000
Received: (qmail 15162 invoked by uid 50); 9 Dec 2003 07:17:18 -0000
Date: 9 Dec 2003 07:17:18 -0000
Message-ID: <20031209071718.15161.qmail@nagoya.betaversion.org>
From: bugzilla@apache.org
To: commons-httpclient-dev@jakarta.apache.org
Cc: 
Subject: DO NOT REPLY [Bug 25264]  -
    Cookie rejected
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25264>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25264

Cookie rejected





------- Additional Comments From rolweber@de.ibm.com  2003-12-09 07:17 -------
Please ignore my last comment about the cookie parsing. I mixed up
the cookie domain and the host. The cookie is parsed correctly, the
problem lies with the hostname.

However, I do wonder whether there is some redirect involved. If
sourceforge.net sends a redirect to www.sourceforge.net, the redirect
is chased by HttpClient, and www.sourceforge.net sends a cookie for
domain .sourceforge.net, will that cookie be verified against host
sourceforge.net or against host www.sourceforge.net?

I'm just guessing here. I don't have a sourceforge account to verify
the behaviour. I just find it hard to imagine that browsers actually
accept a cookie outside of the host's domain. Browser makers have
gotten a lot of public beating for security bugs lately, and I'd
consider this to be one.

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org