RFC 6265 and non-prefix cookie path
Hi, I'm using httpclient 4.5.2 and the CookieSpec Standard. If the response to a http request to http://.../abc contains a cookie for the path /def this cookie is rejected by httpclient. This is the correct behavior in case of RFC 2109 (cf. https://issues.apache.org/jira/browse/HTTPCLIENT-1043). But RFC 6265 (as far as I know) does not state that a cookie path must be a prefix of the request uri path. In 8.6 it is even mentioned as a "security problem" that 'an HTTP response to a request for http://example.com/foo/bar can set a cookie with a Path attribute of "/qux"'. I know that I can workaround my problem by using a custom cookie policy. I just wondered if this behavior of httpclient is correct with respect to RFC 6265. Best regards Ole - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: RFC 6265 and non-prefix cookie path
On Fri, 2016-11-25 at 16:02 +0100, Schulz-Hildebrandt, Ole wrote: > Hi, > > I'm using httpclient 4.5.2 and the CookieSpec Standard. > > If the response to a http request to http://.../abc contains a cookie for the > path /def this cookie is rejected by httpclient. This is the correct behavior > in case of RFC 2109 (cf. > https://issues.apache.org/jira/browse/HTTPCLIENT-1043). But RFC 6265 (as far > as I know) does not state that a cookie path must be a prefix of the request > uri path. In 8.6 it is even mentioned as a "security problem" that 'an HTTP > response to a request for http://example.com/foo/bar can set a cookie with a > Path attribute of "/qux"'. > > I know that I can workaround my problem by using a custom cookie policy. I > just wondered if this behavior of httpclient is correct with respect to RFC > 6265. > > Best regards > Ole Hi Ole I skimmed through the RFC and also could not find a statement supporting this behavior. This is likely to be a left over from earlier implementations of cookie specs. Please feel free to raise am issue in JIRA for this defect. Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: RFC 6265 and non-prefix cookie path
Why not keep it as a sane default behavior? Since there is a security warning it is reasonable to implement a counter measurement, especially if it was the prescribed method in the past. Gruss Bernd -- http://bernd.eckenfels.net On Sat, Nov 26, 2016 at 4:29 PM +0100, "Oleg Kalnichevski" wrote: On Fri, 2016-11-25 at 16:02 +0100, Schulz-Hildebrandt, Ole wrote: > Hi, > > I'm using httpclient 4.5.2 and the CookieSpec Standard. > > If the response to a http request to http://.../abc contains a cookie for the > path /def this cookie is rejected by httpclient. This is the correct behavior > in case of RFC 2109 (cf. > https://issues.apache.org/jira/browse/HTTPCLIENT-1043). But RFC 6265 (as far > as I know) does not state that a cookie path must be a prefix of the request > uri path. In 8.6 it is even mentioned as a "security problem" that 'an HTTP > response to a request for http://example.com/foo/bar can set a cookie with a > Path attribute of "/qux"'. > > I know that I can workaround my problem by using a custom cookie policy. I > just wondered if this behavior of httpclient is correct with respect to RFC > 6265. > > Best regards > Ole Hi Ole I skimmed through the RFC and also could not find a statement supporting this behavior. This is likely to be a left over from earlier implementations of cookie specs. Please feel free to raise am issue in JIRA for this defect. Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
AW: RFC 6265 and non-prefix cookie path
> On Fri, 2016-11-25 at 16:02 +0100, Schulz-Hildebrandt, Ole wrote: > > Hi, > > > > I'm using httpclient 4.5.2 and the CookieSpec Standard. > > > > If the response to a http request to http://.../abc contains a cookie > for the path /def this cookie is rejected by httpclient. This is the > correct behavior in case of RFC 2109 (cf. > https://issues.apache.org/jira/browse/HTTPCLIENT-1043). But RFC 6265 > (as far as I know) does not state that a cookie path must be a prefix > of the request uri path. In 8.6 it is even mentioned as a "security > problem" that 'an HTTP response to a request for > http://example.com/foo/bar can set a cookie with a Path attribute of > "/qux"'. > > > > I know that I can workaround my problem by using a custom cookie > policy. I just wondered if this behavior of httpclient is correct with > respect to RFC 6265. > > > > Best regards > > Ole > > Hi Ole > > I skimmed through the RFC and also could not find a statement > supporting this behavior. This is likely to be a left over from earlier > implementations of cookie specs. > > Please feel free to raise am issue in JIRA for this defect. > > Oleg Hi Oleg, thanks for your reply. I created https://issues.apache.org/jira/browse/HTTPCLIENT-1788 Ole - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org