hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (HTTPCLIENT-661) Error with quoted cookie value
Date Tue, 07 Aug 2007 16:23:59 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-661?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Oleg Kalnichevski resolved HTTPCLIENT-661.

    Resolution: Won't Fix


I looked into possibility of providing a workaround for this issue in HttpClient 4.0 but have
to conclude it would require too many ugly hacks or code duplication I am prepared to live
with. I either have to add an extra attribute 'isQuoted' to HeaderElement / NameValuePair
interfaces or duplicate the complete HTTP header parser code in the cookie specs classes.
This is too much of a price to pay for a work-around for what is essentially a bug in a broken
CGI script. This problem is better solved by implementing a custom browser cookie spec extension
with a trivial amount of extra code.


> Error with quoted cookie value
> ------------------------------
>                 Key: HTTPCLIENT-661
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-661
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpCookie
>    Affects Versions: 3.0 Final, 3.0.1, 3.1 RC1
>         Environment: Mac OSX 10.4.9
> Java 1.5
> Firefox
>            Reporter: David Brochoire
>            Priority: Minor
>             Fix For: 4.0 Alpha 2
> If a web server sends this http header (for example, after an authentication) :
>   Set-Cookie: cookie-name="quoted-cookie-value-authent-ok";Path=/; secure
> In the parsing of cookies, when HttpClient detects a quoted cookie, it strip the
> first and the last quote '"', so it stores the value :
>   quoted-cookie-value-authent-ok
> When you go on the next page after the authenticate page, with the policy
> BROWSER_COMPATIBILITY and all others, HttpClient sends this http header :
>   Cookie: cookie-name=quoted-cookie-value-authent-ok
> But the server expects to receive the value :
>   Cookie: cookie-name="quoted-cookie-value-authent-ok"
> and it rejects the client because it doesn't recognize the authenticated cookie.
> The server doesn't work correctly because quotation marks in cookie attributes
> are optional as long as those attribute values contain no reserved characters,
> but I don't have control above and if I do the same test with firefox, it stores
> the cookie value with quotes '"'.
> So, in the case of the policy BROWSER_COMPATIBILITY it would be better to don't
> strip away quotes (like firefox).

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org

View raw message