On Thu, 2014-07-31 at 16:34 -0700, Gregory Chanan wrote: > Over in HADOOP-10911 (https://issues.apache.org/jira/browse/HADOOP-10911) > we are trying to figure out a cookie format that works well with httpclient. > > The cookie looks something like this: > hadoop.auth="someValue"; Version=1; Expires=Fri, 01 Aug 2014 09:03:40 GMT; > HttpOnly > > The issue with this is the Expires triggers the cookie to be parsed as a > netscape cookie, even though the version field is present (I'm using > httpclient 4.2.5, but trunk seems similar): > https://github.com/apache/httpclient/blob/405f464a84b0bcb70643db78fe916b0bad83936f/httpclient/src/main/java/org/apache/http/impl/cookie/BestMatchSpec.java#L106-L114 >
Greg The problem is that the 'expires' attribute in question is malformed (contains a comma that is not escaped). The reason for the 'expires' attribute taking precedence over the 'version' attribute is that such malformations are simply too common. But what definitely looks wrong is that the cookie spec stores the cookie with version equal to 1 instead of 0 (Netscape style). The 'version' attribute should have been ignored. > and the hadoop.auth value is stored on the client with quotes, since the > netscape cookies do not support quotes (from RFC2109): "Note that the > Expires date format contains embedded spaces, and that "old" cookies did > not have quotes around values. " > > Then, when the cookie is sent back to the server, the hadoop.auth value is > quoted again, i.e.: > hadoop.auth=""someValue""; Version=1; Expires=Fri, 01 Aug 2014 09:03:40 > GMT; HttpOnly > which causes the server to see the hadoop.auth value as "". > > Does this seem like a bug? Yes, it does. Please raise a JIRA for this defect. > It seems like httpclient could handle this in a > number of ways, e.g: > 1) having a version field causes the cookie to be parsed even if there is > an expires (note: we'd have to quote the Expires to get it to parse > correctly as a non-netscape cookie) > 2) if it's a netscape cookie, it shouldn't be quoted when sent back, since > netscape cookies don't support quotes anyway > 3) perhaps some check on the expires, i.e. if it's quoted it's assumed not > to be a netscape cookie, since netscape cookies don't have quotes > The problem is that incorrect 'version' attribute value causes the cookie to be formatted as a standard (version 1) cookie, which may lead to some attribute values enclosed in quote marks twice. Oleg > Thoughts? > Greg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
