hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Detlev Beutner (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1006) BrowserCompatSpec: don't trim " around cookie value
Date Thu, 29 Dec 2016 12:40:58 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15785249#comment-15785249

Detlev Beutner commented on HTTPCLIENT-1006:

Hi Oleg,

Sorry to hear that; I don't know how to explain this better, especially if you don't give
a hint where's the issue in understanding.

Anyhow, let's break this down to the core technical question: If a server sends a cookie,
how does the client have to return this one.

RFC 6265 on the one hand defines how the server sends a cookie to the client (4.1.1):
{quote}set-cookie-string = cookie-pair *( ";" SP cookie-av )
cookie-pair       = cookie-name "=" cookie-value
cookie-name       = token
cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ){quote}

On the other hand, it defines how such received cookies are to be sent back to a server (4.2.1):
{quote}cookie-header = "Cookie:" OWS cookie-string OWS
cookie-string = cookie-pair *( ";" SP cookie-pair ){quote}
... where cookie-pair is the cookie-pair from above!

And explicitly (4.2.2):
{quote}The cookie-pair contains the cookie-name and cookie-value the user agent received in
the Set-Cookie header.{quote}

So a cookie whose value came in DQs also has to be sent back in DQs. That's the core bug.

One might argue if _other_ accesses to cookie values should return the DQs or not (i.e., if
they should be interpreted as a pure "transport mechanism", then: no; or if the DQs really
should be part of the _semantic_ value, then: yes). But that's not what we are discussing
here. _That_ discussion might lead to extensions to the Cookie interface, where (just a thought)
the getValue method might be accompanied by an additional getRawValue method (then getValue
would return a value without DQs, whereas getRawValue would return the complete _cookie-value_
as received via the network, so in the DQ case, with DQs). But as said, that's more the question
_how to fix this_.

Best regards

> BrowserCompatSpec: don't trim " around cookie value
> ---------------------------------------------------
>                 Key: HTTPCLIENT-1006
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1006
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.0.2
>            Reporter: Marc Guillemot
> If the server sends a cookie header like:
> Set-Cookie: first="hello world"
> then HttpClient parses it as cookie with value >hello world<, wrongly removing
the leading and trailing quotes. The incorrect quote removal occurs in BasicHeaderValueParser.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message