hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: cookie paths (was: Can someone please explain what these errors mean?)
Date Thu, 17 Feb 2005 09:31:17 GMT
RFC 2109

<quote>
4.3.2  Rejecting Cookies

To prevent possible security or privacy violations, a user agent rejects
a cookie (shall not store its information) if any of the following is
true:

* The value for the Path attribute is not a prefix of the request-URI.

</quote>

Please correct me if I am wrong but the first point implies that a CGI
at the url "/Canada/whatever.asp" may only set cookies with path
starting with "/Canada/". Am I misreading the RFC?

Evil Comrade Oleg (a.k.a cookie ayatollah)


On Thu, Feb 17, 2005 at 10:17:47AM +0100, Roland Weber wrote:
> Hi Oleg,
> 
> > A cookie with "/" path attribute may not be
> > set from a URL other than "/". 
> 
> my understanding is that a cookie with path "/" may be set from any URL 
> with
> path prefix "/". RFC 2109 mentions the prefix requirement in section 4.3.2
> on page 6. So does RFC 2965 in section 3.3.2 on page 8. Unlike with domain
> names, there is no "reach" restriction that would prevent a servlet at
> /where/ever/it/may/reside to set a cookie for / on that host, which would
> be the same as setting a cookie without any path at all.
> 
> cheers,
>   Roland

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message