You know, I always end up agreeing with you. ;-) Blessed be all compliant cookies under the moon Time to go back to my cave.
Omar On Fri, 2003-02-14 at 00:07, Jeffrey Dever wrote: > Well Omar Kalnichevski, they don't say if a Set-Cookie header should be > rejected, or if a Set-Cookie value should be rejected on those rejection > criteria. A broken cookie does not effect the integretity of the other > cookies and so we should be accepting in what we take in. > > "One broken cookie in the cookie jar does not make the cookie jar broken" > Cookie Monster, Seseme Street. > http://pbskids.org/sesame/letter/ > > > > Oleg Kalnichevski wrote: > > >Jandalf, James > > > >The wording of the RFC2109 is unsurprisingly vague, however, in my > >opinion HttpClient is correct in rejecting the entire set Set-Cookie > >header. > > > >See the following quote from the RFC2109: > >============================= > >4.3.2 Rejecting Cookies > > > >... > > > >Examples: > > > > * A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com > > would be rejected, because H is y.x and contains a dot. > > > > * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would > > be accepted. > > > > * A Set-Cookie with Domain=.com or Domain=.com., will always be > > rejected, because there is no embedded dot. > > > > * A Set-Cookie with Domain=ajax.com will be rejected because the > > value for Domain does not begin with a dot. > >=========================== > > > >I tend to interpret the above stated statements as referring to the > >Set-Cookie header, rather than an individual cookie. Please let me know > >if you see it differently > > > >Faithfully yours, > > > >Cookie Taliban > > > > > >On Thu, 2003-02-13 at 21:02, Jeffrey Dever wrote: > > > > > >>Good argument. I'd say you are right that cookies should be > >>accepted/rejected based on individual merits and not on the entire > >>cookie header. A patch (in unidiff format) would be helpful in > >>evaluation what you propose to change. > >> > >>Jandalf. > >> > >> > >>Couball, James wrote: > >> > >> > >> > >>>Hello All, > >>> > >>>I have a problem with my application of HTTPClient relating to the way that > >>>HttpMethodBase::ParseResponseHeaders handles rejecting cookies. > >>> > >>>My problem is that when one cookie in the set-cookie(2) header is considered > >>>invalid (call to parser.validate throws an exception) (because the domain is > >>>for a third party, for example) all cookies in the header that haven't been > >>>process are dropped. In my application, I want to reject cookies that don't > >>>match the domain and accept cookies that do match the domain. This problem > >>>can not be solved with a new cookie policy because the problem is in how > >>>HttpMethodBase::ParseResponseHeaders handles the exception thrown by > >>>parser.validate. > >>> > >>>RFC 2965 seems to suggest that accepting some cookies in the Set-Cookie2 > >>>header and rejecting others is ok. See section 3.3.2: "To prevent possible > >>>security or privacy violations, a user agent rejects A COOKIE according to > >>>rules below." (emphasis is mine) > >>> > >>>In addition, IE and Netscape do accept all of the valid cookies on a > >>>Set-Cookie(2) header. What is a valid cookie to IE and Netscape depends on > >>>how you set the cookie policy within that program and is more complicated > >>>that what HttpClient currently supports. > >>> > >>>If this is a desired change, I have attached my implementation of > >>>HttpMethodBase::ParseResponseHeaders to be added to HttpClient. If > >>>requested, I can also provide a patch. > >>> > >>>Sincerely, > >>>James. > >>> > >>>protected void processResponseHeaders(HttpState state, > >>> HttpConnection conn) { > >>> LOG.trace("enter HttpMethodBase.processResponseHeaders(HttpState, " > >>> + "HttpConnection)"); > >>> > >>> // add cookies, if any > >>> // should we set cookies? > >>> String cookieHeaderName = "set-cookie2"; > >>> Header setCookieHeader = getResponseHeader(cookieHeaderName); > >>> if (null == setCookieHeader) { //ignore old-style if new is supported > >>> cookieHeaderName = "set-cookie"; > >>> setCookieHeader = getResponseHeader(cookieHeaderName); > >>> } > >>> > >>> if (setCookieHeader != null) { > >>> > >>> // Parse cookies -- an error parsing the set-cookie header dumps all > >>> // cookies in this header. > >>> > >>> CookieSpec parser = > >>>CookiePolicy.getSpecByPolicy(state.getCookiePolicy()); > >>> Cookie[] cookies = null; > >>> try { > >>> cookies = parser.parse( > >>> conn.getHost(), > >>> conn.getPort(), > >>> getPath(), > >>> conn.isSecure(), > >>> setCookieHeader); > >>> } > >>> catch (MalformedCookieException e) { > >>> if (LOG.isWarnEnabled()) { > >>> LOG.warn("Could not parse " + cookieHeaderName + " header: \"" > >>> + setCookieHeader.getValue() > >>> + "\". " + e.getMessage()); > >>> } > >>> } > >>> > >>> // Validate cookies -- only valid cookies are added. Invalid cookies > >>> // are logged and ignored. > >>> > >>> if (cookies != null) { > >>> for (int i = 0; i < cookies.length; i++) { > >>> Cookie cookie = cookies[i]; > >>> boolean accepted = true; > >>> try { > >>> parser.validate( > >>> conn.getHost(), > >>> conn.getPort(), > >>> getPath(), > >>> conn.isSecure(), > >>> cookie); > >>> } > >>> catch (MalformedCookieException e) { > >>> accepted = false; > >>> if (LOG.isWarnEnabled()) { > >>> LOG.warn("Cookie rejected: \"" > >>> + parser.formatCookie(cookie) > >>> + "\". " + e.getMessage()); > >>> } > >>> } > >>> if (accepted) { > >>> if (LOG.isDebugEnabled()) { > >>> LOG.debug("Cookie accepted: \"" > >>> + parser.formatCookie(cookie) + "\""); > >>> } > >>> state.addCookie(cookie); > >>> } > >>> } > >>> } > >>> } > >>>} > >>> > >>> > >>>--------------------------------------------------------------------- > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >>> > >>> > >>> > >>> > >> > >>--------------------------------------------------------------------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
