Hi James,
I am known as Cookie Taliban here for imposing strict, at times literal,
interpretation of cookie related RFCs ;-)
First off all, RFC 2965 has not been implemented yet, even though
HttpClient offers limited support for set-cookie2 headers.
Currently HttpClient per default uses RFC2109 compliant cookie
management. I just wonder if you have tried using the cookie
compatibility policy that Httpclient provides in addition to RFC2109
compliant and Netscape Draft compliant cookie specs? I does go lightly
on all sorts of non-compliant cookies
client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY);
It the compatibility policy does not yield desirable results, I'd
suggest writing a custom cookie spec class, rather than tweaking
HttpMethodBase class.
I'll look into RFC 2109 regarding the correct way invalid cookies should
be rejected
Cheers
Oleg
On Thu, 2003-02-13 at 20:30, Couball, James wrote:
> Hello All,
>
> I have a problem with my application of HTTPClient relating to the way that
> HttpMethodBase::ParseResponseHeaders handles rejecting cookies.
>
> My problem is that when one cookie in the set-cookie(2) header is considered
> invalid (call to parser.validate throws an exception) (because the domain is
> for a third party, for example) all cookies in the header that haven't been
> process are dropped. In my application, I want to reject cookies that don't
> match the domain and accept cookies that do match the domain. This problem
> can not be solved with a new cookie policy because the problem is in how
> HttpMethodBase::ParseResponseHeaders handles the exception thrown by
> parser.validate.
>
> RFC 2965 seems to suggest that accepting some cookies in the Set-Cookie2
> header and rejecting others is ok. See section 3.3.2: "To prevent possible
> security or privacy violations, a user agent rejects A COOKIE according to
> rules below." (emphasis is mine)
>
> In addition, IE and Netscape do accept all of the valid cookies on a
> Set-Cookie(2) header. What is a valid cookie to IE and Netscape depends on
> how you set the cookie policy within that program and is more complicated
> that what HttpClient currently supports.
>
> If this is a desired change, I have attached my implementation of
> HttpMethodBase::ParseResponseHeaders to be added to HttpClient. If
> requested, I can also provide a patch.
>
> Sincerely,
> James.
>
> protected void processResponseHeaders(HttpState state,
> HttpConnection conn) {
> LOG.trace("enter HttpMethodBase.processResponseHeaders(HttpState, "
> + "HttpConnection)");
>
> // add cookies, if any
> // should we set cookies?
> String cookieHeaderName = "set-cookie2";
> Header setCookieHeader = getResponseHeader(cookieHeaderName);
> if (null == setCookieHeader) { //ignore old-style if new is supported
> cookieHeaderName = "set-cookie";
> setCookieHeader = getResponseHeader(cookieHeaderName);
> }
>
> if (setCookieHeader != null) {
>
> // Parse cookies -- an error parsing the set-cookie header dumps all
> // cookies in this header.
>
> CookieSpec parser =
> CookiePolicy.getSpecByPolicy(state.getCookiePolicy());
> Cookie[] cookies = null;
> try {
> cookies = parser.parse(
> conn.getHost(),
> conn.getPort(),
> getPath(),
> conn.isSecure(),
> setCookieHeader);
> }
> catch (MalformedCookieException e) {
> if (LOG.isWarnEnabled()) {
> LOG.warn("Could not parse " + cookieHeaderName + " header: \""
> + setCookieHeader.getValue()
> + "\". " + e.getMessage());
> }
> }
>
> // Validate cookies -- only valid cookies are added. Invalid cookies
> // are logged and ignored.
>
> if (cookies != null) {
> for (int i = 0; i < cookies.length; i++) {
> Cookie cookie = cookies[i];
> boolean accepted = true;
> try {
> parser.validate(
> conn.getHost(),
> conn.getPort(),
> getPath(),
> conn.isSecure(),
> cookie);
> }
> catch (MalformedCookieException e) {
> accepted = false;
> if (LOG.isWarnEnabled()) {
> LOG.warn("Cookie rejected: \""
> + parser.formatCookie(cookie)
> + "\". " + e.getMessage());
> }
> }
> if (accepted) {
> if (LOG.isDebugEnabled()) {
> LOG.debug("Cookie accepted: \""
> + parser.formatCookie(cookie) + "\"");
> }
> state.addCookie(cookie);
> }
> }
> }
> }
> }
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
