Hello All, I have a problem with my application of HTTPClient relating to the way that HttpMethodBase::ParseResponseHeaders handles rejecting cookies.
My problem is that when one cookie in the set-cookie(2) header is considered invalid (call to parser.validate throws an exception) (because the domain is for a third party, for example) all cookies in the header that haven't been process are dropped. In my application, I want to reject cookies that don't match the domain and accept cookies that do match the domain. This problem can not be solved with a new cookie policy because the problem is in how HttpMethodBase::ParseResponseHeaders handles the exception thrown by parser.validate. RFC 2965 seems to suggest that accepting some cookies in the Set-Cookie2 header and rejecting others is ok. See section 3.3.2: "To prevent possible security or privacy violations, a user agent rejects A COOKIE according to rules below." (emphasis is mine) In addition, IE and Netscape do accept all of the valid cookies on a Set-Cookie(2) header. What is a valid cookie to IE and Netscape depends on how you set the cookie policy within that program and is more complicated that what HttpClient currently supports. If this is a desired change, I have attached my implementation of HttpMethodBase::ParseResponseHeaders to be added to HttpClient. If requested, I can also provide a patch. Sincerely, James. protected void processResponseHeaders(HttpState state, HttpConnection conn) { LOG.trace("enter HttpMethodBase.processResponseHeaders(HttpState, " + "HttpConnection)"); // add cookies, if any // should we set cookies? String cookieHeaderName = "set-cookie2"; Header setCookieHeader = getResponseHeader(cookieHeaderName); if (null == setCookieHeader) { //ignore old-style if new is supported cookieHeaderName = "set-cookie"; setCookieHeader = getResponseHeader(cookieHeaderName); } if (setCookieHeader != null) { // Parse cookies -- an error parsing the set-cookie header dumps all // cookies in this header. CookieSpec parser = CookiePolicy.getSpecByPolicy(state.getCookiePolicy()); Cookie[] cookies = null; try { cookies = parser.parse( conn.getHost(), conn.getPort(), getPath(), conn.isSecure(), setCookieHeader); } catch (MalformedCookieException e) { if (LOG.isWarnEnabled()) { LOG.warn("Could not parse " + cookieHeaderName + " header: \"" + setCookieHeader.getValue() + "\". " + e.getMessage()); } } // Validate cookies -- only valid cookies are added. Invalid cookies // are logged and ignored. if (cookies != null) { for (int i = 0; i < cookies.length; i++) { Cookie cookie = cookies[i]; boolean accepted = true; try { parser.validate( conn.getHost(), conn.getPort(), getPath(), conn.isSecure(), cookie); } catch (MalformedCookieException e) { accepted = false; if (LOG.isWarnEnabled()) { LOG.warn("Cookie rejected: \"" + parser.formatCookie(cookie) + "\". " + e.getMessage()); } } if (accepted) { if (LOG.isDebugEnabled()) { LOG.debug("Cookie accepted: \"" + parser.formatCookie(cookie) + "\""); } state.addCookie(cookie); } } } } } --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]