On Thu, Jul 18, 2013 at 11:40:14PM +0600, Andrey Khozov
<[email protected]> wrote:
> ​When AE::HTTP get header
> *Set-Cookie: name=data; Path=/; Domain=example.com*
> in jar appear a key '*.example.com*' (with leading point)
> And at the next http request cookies are not sent.
Your mails are very confusing - I assume '* means a start quote and *'
means an end quote (using consistent quoting would help enourmously), so
the two strings are:
example.com
.example.com
And for this, yes, as per most of the specs and as used in the real world,
the cookie should not be send, as .example.com only matches subdomains of
example.com. Sending it unconditionally is a security risk.
So, this is not a bug.
Keep in mind that AE::HTTP doesn't enforce it's cookie management, it's
entirely optional, and, as mentioned in the documentation, you can use
other implementations that might implement your take on how cookies should
work, or implement your own.
Again, there is no official specification (or rather, there are many, but
no agreed-upon one) for how this should be done, so your idea is likely as
good as mine. AE::HTTP is designed to err on the conservative side.
--
The choice of a Deliantra, the free code+content MORPG
-----==- _GNU_ http://www.deliantra.net
----==-- _ generation
---==---(_)__ __ ____ __ Marc Lehmann
--==---/ / _ \/ // /\ \/ / [email protected]
-=====/_/_//_/\_,_/ /_/\_\
_______________________________________________
anyevent mailing list
[email protected]
http://lists.schmorp.de/mailman/listinfo/anyevent
