httpd-apreq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Hedges <hed...@formdata.biz>
Subject Re: HttpOnly
Date Fri, 12 Nov 2010 22:25:52 GMT


On Fri, 12 Nov 2010, Clinton Gormley wrote:

> http://en.wikipedia.org/wiki/HttpOnly#Cookie_theft

Thanks, I will add this option to A2C session cookies when
it's ready... no reason to be giving that away.

> I had a read of your bug and the conversation it links to.
> This isn't a bug in libapreq or Apache2::Cookie - some
> process somewhere (and it could be from an advert on the
> user's site) is setting an invalid cookie, which then gets
> passed back to apache.
>
> Apache2::Cookie tries to parse it, and chokes on it,
> throwing an error. However, you can change how you use
> Apache2::Cookie to ignore the error and just retrieve
> valid cookies as discussed in the conversation linked to
> in that bug report:
> http://comments.gmane.org/gmane.comp.apache.apreq/4477

Thanks for the confirmation!

Mark

Mime
View raw message