httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Schaefer <>
Subject Re: mod_usertrack bugfix patch
Date Tue, 11 Mar 2003 15:12:42 GMT
"Manni Wood" <> writes:


> 1. I looked into the cookie RFC, which refers to the HTTP RFC on what
> the definition of a quoted value is. Interestingly, a quoted value is
> not allowed to contain quotes, not even escaped quotes. Can someone
> correct me on my assumption if I am wrong? More interestingly, I see no
> reason why an unquoted value cannot contain unescaped quotes --- it's
> just not allowed to contain spaces.

Good point.  IMO RFC 2965 is vague on this point, but there is
an errata process underway that will address this issue.  If 
you/anyone is interested in participating, please email me directly.

> 2. A valid cookie in the header does not need a value. Hence, you can
> have, in the cookie header, a cookie name, followed by a semi-colon,
> instead of the equal sign and value and *then* the semi-colon you would
> expect.

The specs do require an "=" sign, even if the VALUE is empty; although
it's good practice for a server-side parser to tolerate its absence.

> 3. A valid cookie header can separate its cookie/value pairs with commas
> as well as semi-colons, and can have space before and after the
> semi-colons or commas.
> 4. A valid cookie/value pair can have space before and after the equal
> sign.

These are also debatable.  The 2965 errata will hopefully address 
these as well.

> 5. My state machine, based on my extensive testing, gracefully handles
> all the above assumptions, and also gracefully aborts searching
> malformed cookie headers. The resulting state machine is not as simple
> as I had hoped!

Cool! You might also consider subscribing to the apreq-dev list, since
we're doing the same sort of thing.

Best wishes.
Joe Schaefer

View raw message