hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: RFC 6265 and non-prefix cookie path
Date Sat, 26 Nov 2016 15:29:17 GMT
On Fri, 2016-11-25 at 16:02 +0100, Schulz-Hildebrandt, Ole wrote:
> Hi,
> 
> I'm using httpclient 4.5.2 and the CookieSpec Standard.
> 
> If the response to a http request to http://.../abc contains a cookie for the path /def
this cookie is rejected by httpclient. This is the correct behavior in case of RFC 2109 (cf.
https://issues.apache.org/jira/browse/HTTPCLIENT-1043). But RFC 6265 (as far as I know) does
not state that a cookie path must be a prefix of the request uri path. In 8.6 it is even mentioned
as a "security problem" that 'an HTTP response to a request for http://example.com/foo/bar
can set a cookie with a Path attribute of "/qux"'.
> 
> I know that I can workaround my problem by using a custom cookie policy. I just wondered
if this behavior of httpclient is correct with respect to RFC 6265.
> 
> Best regards
> Ole

Hi Ole

I skimmed through the RFC and also could not find a statement supporting
this behavior. This is likely to be a left over from earlier
implementations of cookie specs.

Please feel free to raise am issue in JIRA for this defect.

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message