Jandalf, James
The wording of the RFC2109 is unsurprisingly vague, however, in my
opinion HttpClient is correct in rejecting the entire set Set-Cookie
header.
See the following quote from the RFC2109:
=============================
4.3.2 Rejecting Cookies
...
Examples:
* A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com
would be rejected, because H is y.x and contains a dot.
* A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
be accepted.
* A Set-Cookie with Domain=.com or Domain=.com., will always be
rejected, because there is no embedded dot.
* A Set-Cookie with Domain=ajax.com will be rejected because the
value for Domain does not begin with a dot.
===========================
I tend to interpret the above stated statements as referring to the
Set-Cookie header, rather than an individual cookie. Please let me know
if you see it differently
Faithfully yours,
Cookie Taliban
On Thu, 2003-02-13 at 21:02, Jeffrey Dever wrote:
> Good argument. I'd say you are right that cookies should be
> accepted/rejected based on individual merits and not on the entire
> cookie header. A patch (in unidiff format) would be helpful in
> evaluation what you propose to change.
>
> Jandalf.
>
>
> Couball, James wrote:
>
> >Hello All,
> >
> >I have a problem with my application of HTTPClient relating to the way that
> >HttpMethodBase::ParseResponseHeaders handles rejecting cookies.
> >
> >My problem is that when one cookie in the set-cookie(2) header is considered
> >invalid (call to parser.validate throws an exception) (because the domain is
> >for a third party, for example) all cookies in the header that haven't been
> >process are dropped. In my application, I want to reject cookies that don't
> >match the domain and accept cookies that do match the domain. This problem
> >can not be solved with a new cookie policy because the problem is in how
> >HttpMethodBase::ParseResponseHeaders handles the exception thrown by
> >parser.validate.
> >
> >RFC 2965 seems to suggest that accepting some cookies in the Set-Cookie2
> >header and rejecting others is ok. See section 3.3.2: "To prevent possible
> >security or privacy violations, a user agent rejects A COOKIE according to
> >rules below." (emphasis is mine)
> >
> >In addition, IE and Netscape do accept all of the valid cookies on a
> >Set-Cookie(2) header. What is a valid cookie to IE and Netscape depends on
> >how you set the cookie policy within that program and is more complicated
> >that what HttpClient currently supports.
> >
> >If this is a desired change, I have attached my implementation of
> >HttpMethodBase::ParseResponseHeaders to be added to HttpClient. If
> >requested, I can also provide a patch.
> >
> >Sincerely,
> >James.
> >
> >protected void processResponseHeaders(HttpState state,
> > HttpConnection conn) {
> > LOG.trace("enter HttpMethodBase.processResponseHeaders(HttpState, "
> > + "HttpConnection)");
> >
> > // add cookies, if any
> > // should we set cookies?
> > String cookieHeaderName = "set-cookie2";
> > Header setCookieHeader = getResponseHeader(cookieHeaderName);
> > if (null == setCookieHeader) { //ignore old-style if new is supported
> > cookieHeaderName = "set-cookie";
> > setCookieHeader = getResponseHeader(cookieHeaderName);
> > }
> >
> > if (setCookieHeader != null) {
> >
> > // Parse cookies -- an error parsing the set-cookie header dumps all
> > // cookies in this header.
> >
> > CookieSpec parser =
> >CookiePolicy.getSpecByPolicy(state.getCookiePolicy());
> > Cookie[] cookies = null;
> > try {
> > cookies = parser.parse(
> > conn.getHost(),
> > conn.getPort(),
> > getPath(),
> > conn.isSecure(),
> > setCookieHeader);
> > }
> > catch (MalformedCookieException e) {
> > if (LOG.isWarnEnabled()) {
> > LOG.warn("Could not parse " + cookieHeaderName + " header: \""
> > + setCookieHeader.getValue()
> > + "\". " + e.getMessage());
> > }
> > }
> >
> > // Validate cookies -- only valid cookies are added. Invalid cookies
> > // are logged and ignored.
> >
> > if (cookies != null) {
> > for (int i = 0; i < cookies.length; i++) {
> > Cookie cookie = cookies[i];
> > boolean accepted = true;
> > try {
> > parser.validate(
> > conn.getHost(),
> > conn.getPort(),
> > getPath(),
> > conn.isSecure(),
> > cookie);
> > }
> > catch (MalformedCookieException e) {
> > accepted = false;
> > if (LOG.isWarnEnabled()) {
> > LOG.warn("Cookie rejected: \""
> > + parser.formatCookie(cookie)
> > + "\". " + e.getMessage());
> > }
> > }
> > if (accepted) {
> > if (LOG.isDebugEnabled()) {
> > LOG.debug("Cookie accepted: \""
> > + parser.formatCookie(cookie) + "\"");
> > }
> > state.addCookie(cookie);
> > }
> > }
> > }
> > }
> >}
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
