hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Schulz-Hildebrandt, Ole" <Ole.Schulz-Hildebra...@ppimedia.de>
Subject RFC 6265 and non-prefix cookie path
Date Fri, 25 Nov 2016 15:02:55 GMT

I'm using httpclient 4.5.2 and the CookieSpec Standard.

If the response to a http request to http://.../abc contains a cookie for the path /def this
cookie is rejected by httpclient. This is the correct behavior in case of RFC 2109 (cf. https://issues.apache.org/jira/browse/HTTPCLIENT-1043).
But RFC 6265 (as far as I know) does not state that a cookie path must be a prefix of the
request uri path. In 8.6 it is even mentioned as a "security problem" that 'an HTTP response
to a request for http://example.com/foo/bar can set a cookie with a Path attribute of "/qux"'.

I know that I can workaround my problem by using a custom cookie policy. I just wondered if
this behavior of httpclient is correct with respect to RFC 6265.

Best regards

To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

View raw message