httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Gearls <nickgea...@gmail.com>
Subject Re: mod_rewrite cookies
Date Wed, 23 Jul 2008 10:35:16 GMT
On 07/19/2008 06:08 PM, Nick Kew wrote:
 > Reviewing the backport proposal in STATUS, it amounts to
 > 
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?r1=6394 
\
 > 65&r2=664330&pathrev=664330
 > It still seems to be at risk of generating a malformed cookie,
 > if secure is unset (NULL) but httponly is set.
I ignore the way cookie parts are internally stored, but are they always 
stored in this order (expires:path:secure:HttpOnly) ?
Couldn't we have ...:HttpOnly:secure ?
If so, we could end up with comparing strings with the wrong cookie part.

Also, in the internal format, "secure" and "httponly" could be stored as 
"1" or "true" ?
In rev 664330, both"secure" and "httponly" are compared against "1" and 
"true", in rev 647395 and in the patch attached to bug 44799, only 
secure is compared against "1" and "true".
This is quite confusing ...

Mime
View raw message