Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: neutral (nike.apache.org: local policy)
Message-ID: <4C90D963.90808@christopherschultz.net>
Date: Wed, 15 Sep 2010 10:34:11 -0400
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
 rv:1.9.2.9) Gecko/20100825 Thunderbird/3.1.3
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: HtttServletRequest.getSession()
References: <4C8F4323.2000808@googlemail.com> <4C8F62A2.9070305@apache.org>
 <4C8F83A4.6060804@christopherschultz.net> <4C8FA31B.1080302@apache.org>
 <4C8FF46A.6050508@ice-sa.com>
In-Reply-To: <4C8FF46A.6050508@ice-sa.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

Thanks for further investigation. Comments, as always, are below.

On 9/14/2010 6:17 PM, André Warnier wrote:
>  3.3.3  Cookie Management  If a user agent receives a Set-Cookie2
>    response header whose NAME is the same as that of a cookie it has
>    previously stored, the new cookie supersedes the old when: the old
>    and new Domain attribute values compare equal, using a case-
>    insensitive string-compare; and, the old and new Path attribute
>    values string-compare equal (case-sensitive).

This was the business I was looking for.

> Personal interpretation, inasmuch as necessary :
> 
> Neither the "Port" nor the "Secure" attributes are "identifiers" of the
> cookie; 2 cookies which have the same name and domain and path, but
> different "Port" and/or "Secure" attributes, are the same cookie, and
> one overwrites the other.

Exactly.

> So a browser should never return 2 cookies with the same name and path,
> with a request to the same host.

Well, the browser doesn't have to report the path to the server when
sending a request. It is still (definitely!) possible to get more than
one cookie with the same name yet different values sent to the server.
Believe me, I've seen it happen and had to fix my nested web application
paths to prevent that (self-inflicted) stupidity from interfering with
my webapp's operation.

>       2. If the attribute is present but has no value (e.g., Port), the
>          cookie MUST only be sent to the request-port it was received
>          from.

That's interesting: "use the current port" without being explicit.

> An interesting question is still this :
> if a server sends 2 cookies to a browser, with the same name and path,
> but a diffrent domain : cookie 1 has a domain "myhost.mycompany.com",
> and cookie 2 a domain of ".company.com".
>
> According to what I understand, the browser should cache both cookie
> separately, as they differ by the domain attribute.
> But should the browser return both cookies with the next request to the
> same host ?

Yup!

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyQ2WMACgkQ9CaO5/Lv0PCmXACdG6D9F4jA56CO/rvm+Tvkw0Aq
nd4AoL34edqdOzOZktdM4YGXez0JkiNQ
=VByq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org