tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Trollinger" <>
Subject RE: That Cookie thing
Date Mon, 01 Jul 2002 12:53:25 GMT
I have to disagree with the default as well.. as that can be dangerous
to someone who simply forgot to supply the path.. this could cause
security issues with where the cookie can be read..  the way is
currently works if you forgot to provide the path a you will find out
quickly that something is not working in the same manor that you did and
can fix it.

-----Original Message-----
From: John Baker [] 
Sent: Monday, July 01, 2002 8:33 AM
To: Tomcat Developers List
Subject: Re: That Cookie thing

On Monday 01 July 2002 13:29, Tim Funk wrote:
>    OR
>    OR
> PATH=path
> Optional. The Path attribute specifies the subset of URLs to which
> cookie applies.

But as IE/Moz/Konqueror (anyone else fancy trying some others?) ignore
would it be more useful to provide a default in some way so it isn't
The chances of getting all those three to stick to the spec are low ;-)
even a warning in the logs that your code is not likely to work?

Of course, normally I'd say "follow the spec", but sadly if your target 
audience doesn't, there isn't really much you can do.

> John Baker wrote:
> > On Monday 01 July 2002 13:16, peter lin wrote:
> >>that's the problem with assumptions :)
> >>
> >>Actually I believe the W3C spec says the path will default to
> >>the pages resides in. So that page /hello/greeting.jsp will have
> >>"/hello" as the path.  Only files under "/hello" can read the
> >>Atleast that's my understanding of how cookie path is supposed to be
> >>set.  Some one correct me if I am wrong.
> >
> > Well a reliable source tells me that there is no w3c spec for
> > and infact the concept was conjured by Netscape. There is an RFC
spec for
> > Cookies, but it's largely ignored.
> >
> > So as the useful browsers out there ignore Cookie requests without a
> > path, it might be handy to add it by default so other people don't
> > an hour or two sitting there thinking "Why doesn't this work?". The
> > current context path would be handy, so the response code could look
> > this:
> >
> > public void addCookie(Cookie c)
> > {
> > 	// whatever
> > 	if (c.getPath() == null)
> > 		c.setPath(getContextPath());
> > 	// etc
> > }
> >
> > Just a thought :)
> >
> >>peter
> >>
> >>John Baker wrote:
> >>>On Monday 01 July 2002 12:59, peter lin wrote:
> >>>>if you want the cookies to be readable by all pages, you should
set it
> >>>>to "/".  That's standard practice. Also, if you have multiple
> >>>>with names like www1, www2, www3....., you should also set the
> >>>>to use
> >>>
> >>>I know this ;-) But I'd forgotten to put the / there, and assumed
> >>>browser would assume this if no / was passed to it. However they
> >>>so I was suggesting that if a Cookie has no path set then one
should be
> >>>written by default as a totally useless header is currently written
> >>>the form:
> >>>
> >>>Set-Cookie: someName=someValue; expires....
> >>>
> >>>and due to the lack of a path, every browser ignores it.

John Baker, BSc CS.
Java Developer, TEAM/Slb.
Views expressed in this mail are my own.

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message