hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (HTTPCLIENT-1763) Invalid 'expires' attribute
Date Tue, 23 Aug 2016 13:04:20 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1763?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Oleg Kalnichevski resolved HTTPCLIENT-1763.
-------------------------------------------
    Resolution: Invalid

The only 'expired' format permitted by [Netscape cookie draft|http://web.archive.org/web/20020803110822/http://wp.netscape.com/newsref/std/cookie_spec.html]
is
{noformat}
Wdy, DD-Mon-YYYY HH:MM:SS GMT
{noformat}
which the cookie in question clearly violates.

However one can relax the default behavior by configuring the default plociy to use additional
datetime formats. 

Moreover, the users of HttpClient 4.4 and newer are advised to use RFC 6265 compliant policies
instead of the default one. See HttpClient 4.4 release notes for details.

Oleg

> Invalid 'expires' attribute
> ---------------------------
>
>                 Key: HTTPCLIENT-1763
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1763
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>    Affects Versions: 4.5.2
>            Reporter: Oliver Stöneberg
>
> We updated HttpClient from 4.3.6 to 4.5.2 and suddenly these warnings started appearing:
> [org.apache.http.client.protocol.ResponseProcessCookies] Invalid cookie header: "Set-Cookie:
PLAY_SESSION=; Max-Age=0; Expires=Tue, 23 Aug 2016 11:40:12 GMT; Path=/; Secure; HTTPOnly".
Invalid 'expires' attribute: Tue, 23 Aug 2016 11:40:12 GMT
> Looks like this is actually a valid date according to several references:
> https://en.wikipedia.org/wiki/HTTP_cookie#Expires_and_Max-Age
> https://issues.apache.org/jira/browse/HTTPCLIENT-773
> https://issues.apache.org/jira/browse/HTTPCLIENT-1077
> https://issues.apache.org/jira/browse/HTTPCLIENT-923
> We are not using any specific sookie spec, so CookieSpecs.DEFAULT is being used.
> Looking at the source DefaultCookieSpec is being used which detects the netscape format
by looking at "expires" in the "Set-Cookie" handler which leads to NetscapeDraftSpec feeding
BasicExpiresHandler the NetscapeDraftSpec.EXPIRES_PATTERN which looks wrong to me.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message