hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: cookie paths (was: Can someone please explain what these errors mean?)
Date Thu, 17 Feb 2005 10:10:37 GMT
Roland,

I still think the wording of the RFCs implies that "/Canada/" 
matches "/" but not the other way around. A cookie with a path attribute
"/Canada" can be set at the URL "/", but not visa versa.

Oleg


On Thu, Feb 17, 2005 at 10:43:51AM +0100, Roland Weber wrote:
> Hi Oleg,
> 
> speaking from a string perspective, "/" is a prefix of both,
> "/Canada" and "/Canada/whatever.asp". RFC 2965 mentions
> string-matching for paths on top of page 2.
> 
> cheers,
>   Roland
> 
> 
> 
> 
> 
> Oleg Kalnichevski <olegk@apache.org> 
> 17.02.2005 10:31
> Please respond to
> "HttpClient User Discussion"
> 
> 
> To
> HttpClient User Discussion <httpclient-user@jakarta.apache.org>
> cc
> 
> Subject
> Re: cookie paths (was: Can someone please explain what these errors mean?)
> 
> 
> 
> 
> 
> 
> RFC 2109
> 
> <quote>
> 4.3.2  Rejecting Cookies
> 
> To prevent possible security or privacy violations, a user agent rejects
> a cookie (shall not store its information) if any of the following is
> true:
> 
> * The value for the Path attribute is not a prefix of the request-URI.
> 
> </quote>
> 
> Please correct me if I am wrong but the first point implies that a CGI
> at the url "/Canada/whatever.asp" may only set cookies with path
> starting with "/Canada/". Am I misreading the RFC?
> 
> Evil Comrade Oleg (a.k.a cookie ayatollah)
> 
> 
> On Thu, Feb 17, 2005 at 10:17:47AM +0100, Roland Weber wrote:
> > Hi Oleg,
> > 
> > > A cookie with "/" path attribute may not be
> > > set from a URL other than "/". 
> > 
> > my understanding is that a cookie with path "/" may be set from any URL 
> > with
> > path prefix "/". RFC 2109 mentions the prefix requirement in section 
> 4.3.2
> > on page 6. So does RFC 2965 in section 3.3.2 on page 8. Unlike with 
> domain
> > names, there is no "reach" restriction that would prevent a servlet at
> > /where/ever/it/may/reside to set a cookie for / on that host, which 
> would
> > be the same as setting a cookie without any path at all.
> > 
> > cheers,
> >   Roland
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message