hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Best Match Spec assumes netscape cookie even if version present?
Date Fri, 01 Aug 2014 12:20:02 GMT
On Thu, 2014-07-31 at 16:34 -0700, Gregory Chanan wrote:
> Over in HADOOP-10911 (https://issues.apache.org/jira/browse/HADOOP-10911)
> we are trying to figure out a cookie format that works well with httpclient.
> The cookie looks something like this:
> hadoop.auth="someValue"; Version=1; Expires=Fri, 01 Aug 2014 09:03:40 GMT;
> HttpOnly
> The issue with this is the Expires triggers the cookie to be parsed as a
> netscape cookie, even though the version field is present (I'm using
> httpclient 4.2.5, but trunk seems similar):
> https://github.com/apache/httpclient/blob/405f464a84b0bcb70643db78fe916b0bad83936f/httpclient/src/main/java/org/apache/http/impl/cookie/BestMatchSpec.java#L106-L114


The problem is that the 'expires' attribute in question is malformed
(contains a comma that is not escaped). The reason for the 'expires'
attribute taking precedence over the 'version' attribute is that such
malformations are simply too common. But what definitely looks wrong is
that the cookie spec stores the cookie with version equal to 1 instead
of 0 (Netscape style). The 'version' attribute should have been ignored.

> and the hadoop.auth value is stored on the client with quotes, since the
> netscape cookies do not support quotes (from RFC2109): "Note that the
> Expires date format contains embedded spaces, and that "old" cookies did
> not have quotes around values. "
> Then, when the cookie is sent back to the server, the hadoop.auth value is
> quoted again, i.e.:
> hadoop.auth=""someValue""; Version=1; Expires=Fri, 01 Aug 2014 09:03:40
> GMT; HttpOnly
> which causes the server to see the hadoop.auth value as "".
> Does this seem like a bug? 

Yes, it does. Please raise a JIRA for this defect.

>  It seems like httpclient could handle this in a
> number of ways, e.g:
> 1) having a version field causes the cookie to be parsed even if there is
> an expires (note: we'd have to quote the Expires to get it to parse
> correctly as a non-netscape cookie)
> 2) if it's a netscape cookie, it shouldn't be quoted when sent back, since
> netscape cookies don't support quotes anyway
> 3) perhaps some check on the expires, i.e. if it's quoted it's assumed not
> to be a netscape cookie, since netscape cookies don't have quotes

The problem is that incorrect 'version' attribute value causes the
cookie to be formatted as a standard (version 1) cookie, which may lead
to some attribute values enclosed in quote marks twice.


> Thoughts?
> Greg

To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

View raw message