httpd-apreq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clinton Gormley <cl...@traveljury.com>
Subject Re: HttpOnly
Date Fri, 12 Nov 2010 22:22:02 GMT
Hiya

On Fri, 2010-11-12 at 11:59 -0800, Mark Hedges wrote:
> > > On  08/11/2010 15:28, Issac Goldstand wrote:
> > > > On 08/11/2010 15:25, Clinton  Gormley wrote:
> > > >>>> I see a patch in Debian which does  this:
> > >http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg543361.html
> 
> Sorry if I don't understand what's going on, but is this a
> bug that causes the cookie header to have only the value '1'
> instead of proper headers?


No, this isn't a bug - it's a feature of cookies that is not supported
in the current version of libapreq - the addition of the 'http' flag to
generated cookies:

http://en.wikipedia.org/wiki/HttpOnly#Cookie_theft


> 
> https://rt.cpan.org/Public/Bug/Display.html?id=61744
> 
> Since there's some activity/interest in a new release, maybe
> someone can offer their opinion whether the suggested fix in
> the bug report above is a good idea, or whether this is
> something that needs to be fixed in Apache2::Cookie.  I
> haven't been able to duplicate it-- maybe because I use
> Debian?

I had a read of your bug and the conversation it links to.  This isn't a
bug in libapreq or Apache2::Cookie - some process somewhere (and it
could be from an advert on the user's site) is setting an invalid
cookie, which then gets passed back to apache.

Apache2::Cookie tries to parse it, and chokes on it, throwing an error.
However, you can change how you use Apache2::Cookie to ignore the error
and just retrieve valid cookies as discussed in the conversation linked
to in that bug report:
http://comments.gmane.org/gmane.comp.apache.apreq/4477

clint


Mime
View raw message