Return-Path: X-Original-To: apmail-hc-httpclient-users-archive@www.apache.org Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8AB1211385 for ; Thu, 31 Jul 2014 23:34:41 +0000 (UTC) Received: (qmail 65744 invoked by uid 500); 31 Jul 2014 23:34:41 -0000 Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org Received: (qmail 65697 invoked by uid 500); 31 Jul 2014 23:34:41 -0000 Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-users@hc.apache.org Received: (qmail 65684 invoked by uid 99); 31 Jul 2014 23:34:40 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 Jul 2014 23:34:40 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=AC_DIV_BONANZA,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,WEIRD_QUOTING X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of gchanan@cloudera.com designates 209.85.216.45 as permitted sender) Received: from [209.85.216.45] (HELO mail-qa0-f45.google.com) (209.85.216.45) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 Jul 2014 23:34:36 +0000 Received: by mail-qa0-f45.google.com with SMTP id cm18so3100868qab.18 for ; Thu, 31 Jul 2014 16:34:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=ncS/aOgRQaC9QEDF/cAbOkkRf/cHQAsvvBD6PF0Ddp4=; b=ceLKsYhumHE7SC4WeXXSFzUSV/mxguFHOLbDFqSriQHAG3wDpn/BiE20Xs4ZYnt0iM lcYkBscnSPJX9+ZmG9uAgdGdjCyoKaNCWF2B0La3SHAc9KNODyGONy29nik0jKlKJDqW jJBQtC03Yxo/fp+uWx2t1i3Tz4FY/up2m1gJ2xw73xy0ZnUzq7iI1/d+No819ZVSX39H 6kHCPK4ptM947g0pIVcjMo8npfUlZ+A5BvskKISMFKr3nB9tV9mxsgnoWpXhaLggIqZh MhTJgtb6SQfOJaql0SLohl79rvhCWX8YamQZ8K8yeZ4dcBjKQsjLCDxtyYJlz5+bdq9r VgPg== X-Gm-Message-State: ALoCoQliN3WkL36qEi24xywPIJRbhN0wtjhhWyB6RQCt+ICcHjgUM8aKAfsQcXeIk5L+SHRiL90L MIME-Version: 1.0 X-Received: by 10.140.96.85 with SMTP id j79mr2552575qge.5.1406849655941; Thu, 31 Jul 2014 16:34:15 -0700 (PDT) Received: by 10.229.180.4 with HTTP; Thu, 31 Jul 2014 16:34:15 -0700 (PDT) Date: Thu, 31 Jul 2014 16:34:15 -0700 Message-ID: Subject: Best Match Spec assumes netscape cookie even if version present? From: Gregory Chanan To: HttpClient User Discussion Content-Type: multipart/alternative; boundary=001a113ac468fec63004ff85b52b X-Virus-Checked: Checked by ClamAV on apache.org --001a113ac468fec63004ff85b52b Content-Type: text/plain; charset=UTF-8 Over in HADOOP-10911 (https://issues.apache.org/jira/browse/HADOOP-10911) we are trying to figure out a cookie format that works well with httpclient. The cookie looks something like this: hadoop.auth="someValue"; Version=1; Expires=Fri, 01 Aug 2014 09:03:40 GMT; HttpOnly The issue with this is the Expires triggers the cookie to be parsed as a netscape cookie, even though the version field is present (I'm using httpclient 4.2.5, but trunk seems similar): https://github.com/apache/httpclient/blob/405f464a84b0bcb70643db78fe916b0bad83936f/httpclient/src/main/java/org/apache/http/impl/cookie/BestMatchSpec.java#L106-L114 and the hadoop.auth value is stored on the client with quotes, since the netscape cookies do not support quotes (from RFC2109): "Note that the Expires date format contains embedded spaces, and that "old" cookies did not have quotes around values. " Then, when the cookie is sent back to the server, the hadoop.auth value is quoted again, i.e.: hadoop.auth=""someValue""; Version=1; Expires=Fri, 01 Aug 2014 09:03:40 GMT; HttpOnly which causes the server to see the hadoop.auth value as "". Does this seem like a bug? It seems like httpclient could handle this in a number of ways, e.g: 1) having a version field causes the cookie to be parsed even if there is an expires (note: we'd have to quote the Expires to get it to parse correctly as a non-netscape cookie) 2) if it's a netscape cookie, it shouldn't be quoted when sent back, since netscape cookies don't support quotes anyway 3) perhaps some check on the expires, i.e. if it's quoted it's assumed not to be a netscape cookie, since netscape cookies don't have quotes Thoughts? Greg --001a113ac468fec63004ff85b52b--