hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject RE: cookie processing
Date Mon, 20 Feb 2006 17:56:33 GMT
On Mon, 2006-02-20 at 17:32 +0100, Hoef, Jan wrote:
> Hi Oleg,
> 
> I had a wrong statement in my first mail, the value of the second cookie
> was quoted.
> cadata="1,kou8Vc9O9nrV4YRnTwVz6QMNbuiWuIg2NprLOkMT4NEcDtGkSTB2P9ORB2QUHs
> uP+E2OfwYC4rWCMgGe".
> 
> I tested it on httpclient 2 and 3.
> Only the netscape draft spec of httpclient 3 parsed the sessionid cookie
> into 1 cookie all the other made 2 cookies from it.
> 
> Jan 
> 

Which is precisely the way it is meant to be. 


You have a few choices here

(1) report the bug to the software manufacturer and get them fix it
(2) inquire with the Slide folks if they have any plans to migrate off
HttpClient 2.0 to HttpClient 3.0. If needed, I can lend them a helping
help porting the code to the newest HttpClient release
(3) fork HttpClient 2.0

Oleg


> Testcase httpclient3:
> 
> 
> package org.apache.commons.httpclient.cookie;
> 
> import org.apache.commons.httpclient.Cookie;
> import org.apache.commons.httpclient.cookie.CookieSpec;
> 
> import junit.framework.TestCase;
> 
> public class TestWrongCookie extends TestCase {
>      
>     public void testParseRFC2109() throws Exception {
>  
>         CookieSpec parser = new RFC2109Spec();
>         String setCookie1 =
> "sessionid=4241de88-1c21-4f39-b7b7-f50a87d6a828, 0x409; path=/";
>         String setCookie2 =
> "cadata=\"1,kou8Vc9O9nrV4YRnTwVz6QMNbuiWuIg2NprLOkMT4NEcDtGkSTB2P9ORB2QU
> HsuP+E2OfwYC4rWCMgGe\"; HttpOnly; secure; path=/";
>         Cookie[] parsed1 =
> parser.parse("127.0.0.1",80,"/",true,setCookie1);
>         Cookie[] parsed2 =
> parser.parse("127.0.0.1",80,"/",true,setCookie2);
>         assertEquals(2,parsed1.length);
>         assertEquals(1,parsed2.length);
>      }
>     
>     public void testParseNetscape() throws Exception {
>  
>         
>         CookieSpec parser = new NetscapeDraftSpec();
>         String setCookie1 =
> "sessionid=4241de88-1c21-4f39-b7b7-f50a87d6a828, 0x409; path=/";
>         String setCookie2 =
> "cadata=\"1,kou8Vc9O9nrV4YRnTwVz6QMNbuiWuIg2NprLOkMT4NEcDtGkSTB2P9ORB2QU
> HsuP+E2OfwYC4rWCMgGe\"; HttpOnly; secure; path=/";
>         Cookie[] parsed1 =
> parser.parse("127.0.0.1",80,"/",true,setCookie1);
>         Cookie[] parsed2 =
> parser.parse("127.0.0.1",80,"/",true,setCookie2);
>         assertEquals(1,parsed1.length);
>         assertEquals(1,parsed2.length);
>      }
> }
> 
> -----Original Message-----
> From: Oleg Kalnichevski [mailto:olegk@apache.org] 
> Sent: maandag 20 februari 2006 15:54
> To: HttpClient Project
> Subject: RE: cookie processing
> 
> On Mon, 2006-02-20 at 15:46 +0100, Hoef, Jan wrote:
> > Thanx for your explanation. I'll try out the Netscape cookie draft
> spec.
> > However the httpclient code generates only 3 cookies out of it, not 4.
> > 
> > Jan
> > 
> 
> Jan,
> I have not touched the HttpClient 2.x code for almost 6 months now, so I
> may well be wrong about it, but I do see that both cookies violate the
> HTTP spec. Try hitting the site with HttpClient 3.0 and see if that
> makes any difference
> 
> Oleg 
> 
> 
> > -----Original Message-----
> > From: Oleg Kalnichevski [mailto:olegk@apache.org] 
> > Sent: maandag 20 februari 2006 15:36
> > To: HttpClient Project
> > Subject: Re: cookie processing
> > 
> > On Mon, 2006-02-20 at 14:34 +0100, Hoef, Jan wrote:
> > > Hi,
> > >  
> > > I am working with the jakarta project slide that uses the
> > > commons-httpclient-2.0.2. 
> > > I have written a client that sends requests via webdav  to the
> > microsoft
> > > exchange server 2003.
> > > In the exchange server form based authentication is active. 
> > > Wenn I enter my logon credentials in my post request, the server
> > > responds containing 2 cookies that are needed in all next request.
> > > These cookies are, e.g.:
> > > - sessionid=4241de88-1c21-4f39-b7b7-f50a87d6a828, 0x409; path=/
> > > -
> > >
> >
> cadata=1,kou8Vc9O9nrV4YRnTwVz6QMNbuiWuIg2NprLOkMT4NEcDtGkSTB2P9ORB2QUHsu
> > > P+E2OfwYC4rWCMgGe; HttpOnly; secure; path=/
> > >  
> > > However at parsing the cookies, 3 cookies are recognized, i.e.:
> > > - sessionid=4241de88-1c21-4f39-b7b7-f50a87d6a828
> > > - 0x409
> > > -
> > >
> >
> cadata=1,kou8Vc9O9nrV4YRnTwVz6QMNbuiWuIg2NprLOkMT4NEcDtGkSTB2P9ORB2QUHsu
> > > P+E2OfwYC4rWCMgGe
> > >  
> > > The 0x409 part should not be a cookie but should be a part of the
> > > sessionid cookie!!!
> > >  
> > 
> > No, this is wrong. The cookie sessionid clearly violates the HTTP spec
> > and the Cookie and Cookie2 specs. Please report this bug to the
> software
> > manufacturer.
> > 
> > Actually you should be getting 4 cookies in total, as the cadata
> cookie
> > is invalid as well.
> > 
> > HttpClient 3.0 provides the Netscape Draft cookie spec which may work
> > with these cookies. Netscape Cookie Draft is the only spec that
> permits
> > the use of special separator characters, such as comma, in cookie
> values
> > that are not enclosed in quotes
> > 
> > Hope this explains the situation
> > 
> > Oleg  
> > 
> > 
> > > The ideal solution would be to correct this in the cookie parser.
> > > Because I am no expert in cookies and httpclient, Ii changed the
> > > httpstate class in such a  way that I can manipulate the cookies.
> See
> > > path below.
> > >  
> > > Jan
> > >  
> > > 
> > > 
> > > [patch]
> > > Index:
> > >
> >
> D:/jakarta/httpclient/src/java/org/apache/commons/httpclient/HttpState.j
> > > ava
> > > ===================================================================
> > > ---
> > >
> >
> D:/jakarta/httpclient/src/java/org/apache/commons/httpclient/HttpState.j
> > > ava	(revision 379076)
> > > +++
> > >
> >
> D:/jakarta/httpclient/src/java/org/apache/commons/httpclient/HttpState.j
> > > ava	(working copy)
> > > @@ -1,7 +1,7 @@
> > >  /*
> > >   * $Header:
> > >
> >
> /home/jerenkrantz/tmp/commons/commons-convert/cvs/home/cvs/jakarta-commo
> > >
> ns//httpclient/src/java/org/apache/commons/httpclient/HttpState.java,v
> > > 1.22.2.3 2003/10/29 03:08:49 mbecke Exp $
> > >   * $Revision: 1.22.2.3 $
> > > - * $Date: 2003/10/29 03:08:49 $
> > > + * $Date$
> > >   *
> > >   *
> > ====================================================================
> > >   *
> > > @@ -96,7 +96,7 @@
> > >   * @author <a href="mailto:mbowler@GargoyleSoftware.com">Mike
> > > Bowler</a>
> > >   * @author <a href="mailto:adrian@intencha.com">Adrian Sutton</a>
> > >   * 
> > > - * @version $Revision: 1.22.2.3 $ $Date: 2003/10/29 03:08:49 $
> > > + * @version $Revision: 1.22.2.3 $ $Date$
> > >   * 
> > >   */
> > >  public class HttpState {
> > > @@ -199,6 +199,7 @@
> > >      public synchronized void addCookie(Cookie cookie) {
> > >          LOG.trace("enter HttpState.addCookie(Cookie)");
> > >  
> > > +        int i = 0;
> > >          if (cookie != null) {
> > >              // first remove any old cookie that is equivalent
> > >              for (Iterator it = cookies.iterator(); it.hasNext();) {
> > > @@ -207,13 +208,37 @@
> > >                      it.remove();
> > >                      break;
> > >                  }
> > > +                i++;
> > >              }
> > >              if (!cookie.isExpired()) {
> > > -                cookies.add(cookie);
> > > +		    if (i==0)
> > > +		    	   cookies.add(cookie);
> > > +		    else	
> > > +                	   cookies.add(i,cookie);
> > >              }
> > >          }
> > >      }
> > > +    /**
> > > +     * Remove an {@link Cookie HTTP cookie}, any existing
> equivalent
> > > cookies.
> > > +     * 
> > > +     * @param cookie the {@link Cookie cookie} to be removed
> > > +     * 
> > > +     */
> > > +    public synchronized void removeCookie(Cookie cookie) {
> > > +        LOG.trace("enter HttpState.removeCookie(Cookie)");
> > >  
> > > +        if (cookie != null) {
> > > +            // first remove any old cookie that is equivalent
> > > +            for (Iterator it = cookies.iterator(); it.hasNext();) {
> > > +                Cookie tmp = (Cookie) it.next();
> > > +                if (cookie.equals(tmp)) {
> > > +                    it.remove();
> > > +                    break;
> > > +                }
> > > +            }
> > > +        }
> > > +    }
> > > +
> > >      /**
> > >       * Adds an array of {@link Cookie HTTP cookies}. Cookies are
> > added
> > > individually and 
> > >       * in the given array order. If any of the given cookies has
> > > already expired it will 
> > > 
> > >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail:
> httpclient-dev-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail:
> > httpclient-dev-help@jakarta.apache.org
> > > 
> > > 
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> httpclient-dev-help@jakarta.apache.org
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> httpclient-dev-help@jakarta.apache.org
> > 
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message