httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject RE: mod_usertrack bugfix patch
Date Tue, 11 Mar 2003 08:38:02 GMT

On Mon, 10 Mar 2003, Manni Wood wrote:

> 1. I looked into the cookie RFC, which refers to the HTTP RFC on what
> the definition of a quoted value is. Interestingly, a quoted value is
> not allowed to contain quotes, not even escaped quotes. Can someone
> correct me on my assumption if I am wrong? More interestingly, I see no
> reason why an unquoted value cannot contain unescaped quotes --- it's
> just not allowed to contain spaces.

Aye - bear in mind the IETF dogma; be strict in what you send; lesuire in
what you accept. So in this case - we should make sure that any cookies we
send stick to the limited/strict definition; but should be able to accept
anything without spaces/quoted.

> 2. A valid cookie in the header does not need a value. Hence, you can
> have, in the cookie header, a cookie name, followed by a semi-colon,
> instead of the equal sign and value and *then* the semi-colon you would
> expect.

Right - and this you actually see in the wild. I think broadvision does
this to do some clever browser detect.

> 3. A valid cookie header can separate its cookie/value pairs with commas
> as well as semi-colons, and can have space before and after the
> semi-colons or commas.

Yes - this is seen in the wild too. I think it is something Akamai or some
other 'accelerator' does.

> 4. A valid cookie/value pair can have space before and after the equal
> sign.

Yes - this is seen in the wild too. I've ran into this several times with
walled-garden WAP gateways to the internet.

> 5. My state machine, based on my extensive testing, gracefully handles
> all the above assumptions, and also gracefully aborts searching
> malformed cookie headers. The resulting state machine is not as simple
> as I had hoped!

Aye ! Looks good.


View raw message