hi,
is it really necessary or needed to validate the path information when
setting a cookie? is this a rfc spec?
i experienced troubles when cookies are set for a following site, so
pathes do not match. this is done when sessions are initialized before a
(for example) login screen and the login appears within a new session.
what security concerns lead to this check. normal browser behaviour is
just saving the cookie and match the domain, path.. when setting.
maybe the following check is a little too secure:
if(cookie.getPath() != null && (!path.startsWith(cookie.getPath()))) {
if(log.isInfoEnabled()) {
log.info("Cookie.parse(): Rejecting set cookie header \"" +
setCookie.getValue() + "\" because \"" +
cookie.getName() + "\" has an illegal path
attribute (\"" + cookie.getPath() + "\") for the given
path \"" + path + "\".");
}
throw new HttpException(
"Bad Set-Cookie header: " + setCookie.getValue() +
" Header targets a different path, found \"" +
cookie.getPath() + "\" for \"" + path + "\"");
}
throwing an exception (and catching it httpclient internally with only a
log message) seems not the best solution either. it was really hard to
track down with normal use. when throwing the exception don't you think
other cookies could get lost (this is not only specific to this security
check)?
why is the default cookie version 0?
thank you,
thomas
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
