hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Weber <ROLWE...@de.ibm.com>
Subject Re: cookie paths (was: Can someone please explain what these errors mean?)
Date Thu, 17 Feb 2005 13:00:16 GMT
Hi Oleg,

> Think of session cookies. Most of browsers do not include the path
> attribute when sending cookies to the server. If the scheme you 
> are suggesting were correct a servlet engine would not be able to 
> distinguish session ids of individual web applications

That is correct. All web applications use the same session ID.
They keep different session objects in memory, so their data
remains separate. What ID is used does not really matter.

> Please do take a look at the Netscape draft:
>  path=PATH
>      The path attribute is used to specify the subset of URLs in a
>      domain for which the cookie is valid. If a cookie has already
>      passed domain matching, then the pathname component of the URL is
>      compared with the path attribute, and if there is a match, the
>      cookie is considered valid and is sent along with the URL request.
>      The path "/foo" would match "/foobar" and "/foo/bar.html". The path
>      "/" is the most general path.
> RFC 2109 meant to say pretty much the same

Yes, that's for selecting those cookies that get sent back from
the client to the server. Here, I fully agree with you. A cookie
for /app1 is sent only to /app1/*. But I still say that the cookie
can have been set by /app1/screens/login.jsp in the first place.

> I have no problem with being proven wrong. I can err as any mortal 

Since we cannot agree on a common interpretation of the RFC,
I doubt either of us can prove the other wrong :-) Referring
to the implementation, the last check in method validate(...)
of CookieSpecBase does not match your interpretation, does it?



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message