-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
Thanks for further investigation. Comments, as always, are below. On 9/14/2010 6:17 PM, André Warnier wrote: > 3.3.3 Cookie Management If a user agent receives a Set-Cookie2 > response header whose NAME is the same as that of a cookie it has > previously stored, the new cookie supersedes the old when: the old > and new Domain attribute values compare equal, using a case- > insensitive string-compare; and, the old and new Path attribute > values string-compare equal (case-sensitive). This was the business I was looking for. > Personal interpretation, inasmuch as necessary : > > Neither the "Port" nor the "Secure" attributes are "identifiers" of the > cookie; 2 cookies which have the same name and domain and path, but > different "Port" and/or "Secure" attributes, are the same cookie, and > one overwrites the other. Exactly. > So a browser should never return 2 cookies with the same name and path, > with a request to the same host. Well, the browser doesn't have to report the path to the server when sending a request. It is still (definitely!) possible to get more than one cookie with the same name yet different values sent to the server. Believe me, I've seen it happen and had to fix my nested web application paths to prevent that (self-inflicted) stupidity from interfering with my webapp's operation. > 2. If the attribute is present but has no value (e.g., Port), the > cookie MUST only be sent to the request-port it was received > from. That's interesting: "use the current port" without being explicit. > An interesting question is still this : > if a server sends 2 cookies to a browser, with the same name and path, > but a diffrent domain : cookie 1 has a domain "myhost.mycompany.com", > and cookie 2 a domain of ".company.com". > > According to what I understand, the browser should cache both cookie > separately, as they differ by the domain attribute. > But should the browser return both cookies with the next request to the > same host ? Yup! - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyQ2WMACgkQ9CaO5/Lv0PCmXACdG6D9F4jA56CO/rvm+Tvkw0Aq nd4AoL34edqdOzOZktdM4YGXez0JkiNQ =VByq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
