hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Schulz-Hildebrandt, Ole" <Ole.Schulz-Hildebra...@ppimedia.de>
Subject AW: RFC 6265 and non-prefix cookie path
Date Mon, 28 Nov 2016 08:20:54 GMT
> On Fri, 2016-11-25 at 16:02 +0100, Schulz-Hildebrandt, Ole wrote:
> > Hi,
> >
> > I'm using httpclient 4.5.2 and the CookieSpec Standard.
> >
> > If the response to a http request to http://.../abc contains a cookie
> for the path /def this cookie is rejected by httpclient. This is the
> correct behavior in case of RFC 2109 (cf.
> https://issues.apache.org/jira/browse/HTTPCLIENT-1043). But RFC 6265
> (as far as I know) does not state that a cookie path must be a prefix
> of the request uri path. In 8.6 it is even mentioned as a "security
> problem" that 'an HTTP response to a request for
> http://example.com/foo/bar can set a cookie with a Path attribute of
> "/qux"'.
> >
> > I know that I can workaround my problem by using a custom cookie
> policy. I just wondered if this behavior of httpclient is correct with
> respect to RFC 6265.
> >
> > Best regards
> > Ole
> 
> Hi Ole
> 
> I skimmed through the RFC and also could not find a statement
> supporting this behavior. This is likely to be a left over from earlier
> implementations of cookie specs.
> 
> Please feel free to raise am issue in JIRA for this defect.
> 
> Oleg

Hi Oleg,

thanks for your reply. 
I created https://issues.apache.org/jira/browse/HTTPCLIENT-1788

Ole


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Mime
View raw message