tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: That Cookie thing
Date Mon, 01 Jul 2002 17:57:35 GMT


On Mon, 1 Jul 2002, John Baker wrote:

> Date: Mon, 1 Jul 2002 13:20:31 +0100
> From: John Baker <jbaker@teamenergy.com>
> Reply-To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
> To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
> Subject: Re: That Cookie thing
>
> On Monday 01 July 2002 13:16, peter lin wrote:
> > that's the problem with assumptions :)
> >
> > Actually I believe the W3C spec says the path will default to directory
> > the pages resides in. So that page /hello/greeting.jsp will have
> > "/hello" as the path.  Only files under "/hello" can read the cookie.
> > Atleast that's my understanding of how cookie path is supposed to be
> > set.  Some one correct me if I am wrong.
>
> Well a reliable source tells me that there is no w3c spec for Cookies, and
> infact the concept was conjured by Netscape. There is an RFC spec for
> Cookies, but it's largely ignored.
>
> So as the useful browsers out there ignore Cookie requests without a path, it
> might be handy to add it by default so other people don't spend an hour or
> two sitting there thinking "Why doesn't this work?". The current context path
> would be handy, so the response code could look like this:
>
> public void addCookie(Cookie c)
> {
> 	// whatever
> 	if (c.getPath() == null)
> 		c.setPath(getContextPath());
> 	// etc
> }
>

IMHO, Tomcat should ensure that cookies *it* creates always have a path
(they do), but it's a breach of faith to go messing around with cookies
hand crafted by the application.  Those should be assumed to have been set
up exactly the way that the app wanted them.  How can the server blindly
assume that the client is a browser that is broken in this respect, and
that all future browser versions will suffer from the same problem?

> Just a thought :)
>

Craig


>
> > peter
> >
> > John Baker wrote:
> > > On Monday 01 July 2002 12:59, peter lin wrote:
> > > > if you want the cookies to be readable by all pages, you should set it
> > > > to "/".  That's standard practice. Also, if you have multiple webserver
> > > > with names like www1, www2, www3....., you should also set the cookie
> > > > to use yourbiz.com.
> > >
> > > I know this ;-) But I'd forgotten to put the / there, and assumed the
> > > browser would assume this if no / was passed to it. However they don't,
> > > so I was suggesting that if a Cookie has no path set then one should be
> > > written by default as a totally useless header is currently written in
> > > the form:
> > >
> > > Set-Cookie: someName=someValue; expires....
> > >
> > > and due to the lack of a path, every browser ignores it.
>
> --
> John Baker, BSc CS.
> Java Developer, TEAM/Slb. http://www.teamenergy.com
> Views expressed in this mail are my own.
>
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message