hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Weber <ROLWE...@de.ibm.com>
Subject Re: cookie paths (was: Can someone please explain what these errors mean?)
Date Thu, 17 Feb 2005 09:43:51 GMT
Hi Oleg,

speaking from a string perspective, "/" is a prefix of both,
"/Canada" and "/Canada/whatever.asp". RFC 2965 mentions
string-matching for paths on top of page 2.

cheers,
  Roland





Oleg Kalnichevski <olegk@apache.org> 
17.02.2005 10:31
Please respond to
"HttpClient User Discussion"


To
HttpClient User Discussion <httpclient-user@jakarta.apache.org>
cc

Subject
Re: cookie paths (was: Can someone please explain what these errors mean?)






RFC 2109

<quote>
4.3.2  Rejecting Cookies

To prevent possible security or privacy violations, a user agent rejects
a cookie (shall not store its information) if any of the following is
true:

* The value for the Path attribute is not a prefix of the request-URI.

</quote>

Please correct me if I am wrong but the first point implies that a CGI
at the url "/Canada/whatever.asp" may only set cookies with path
starting with "/Canada/". Am I misreading the RFC?

Evil Comrade Oleg (a.k.a cookie ayatollah)


On Thu, Feb 17, 2005 at 10:17:47AM +0100, Roland Weber wrote:
> Hi Oleg,
> 
> > A cookie with "/" path attribute may not be
> > set from a URL other than "/". 
> 
> my understanding is that a cookie with path "/" may be set from any URL 
> with
> path prefix "/". RFC 2109 mentions the prefix requirement in section 
4.3.2
> on page 6. So does RFC 2965 in section 3.3.2 on page 8. Unlike with 
domain
> names, there is no "reach" restriction that would prevent a servlet at
> /where/ever/it/may/reside to set a cookie for / on that host, which 
would
> be the same as setting a cookie without any path at all.
> 
> cheers,
>   Roland

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message