quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory (Grisha) Trubetskoy" <gri...@apache.org>
Subject Re: [mod_python] Cookie patch
Date Fri, 14 Jan 2005 19:23:38 GMT


On Thu, 13 Jan 2005, Craig Warren wrote:

> I found an error while with Cookie module.  When the cookie module parses a 
> cookie, if that cooke has $Version or $Path in it you get an error. My cookie 
> is coming from a java libaray, that puts $Version and $Path in it.
> example ="Cookie: $Version=0; pysid=34a9b38c34;$Path=/"

This is a bogus cookie unless I'm missing something. The RFC says that 
$Version should be 1. A $Version of 0 would "suggest" that this is a 
Netscape cookie, and the Netscape cookies do not specify $Path. Which 
exactly Java library did this come from? ;-)

What I think would be interesting if people could test RFC2965 compliance 
of their browsers and reported results to the list. AFAIK the most common 
ones out there (IE for example) do not support it, which makes using $Path 
risky.

I highly recommend reading  "HTTP Cookies: Standards, Privacy, and 
Politics" and other stuff on http://kristol.org/cookie/ to get a better 
idea of what a mess the cookie spec presently is.

I suggest before we go and change code, we have a little discussion about 
the objectives here. If I remember it correctly, I started out with a 
Cookie module that I wanted to be RFC compliant, but having looked deeper 
into the matter I realized that (1) Netscape and RFC are mutually 
incompatible, and (2) the RFC's are not supported by some very popular 
browsers, and therefore it does not make sense to bother with RFC 
comliance.

This is why there is a '$' in Cookie.py - I was probably trying to 
roll-back the RFC support, but left it behind.

I highly suspect that a lot of cookie code you will find out there (e.g. 
Jetty) is a result of developers having followed the same sorry path of 
discovery and should always be treated with utmost scrutiny, i.e. I don't 
buy the argument that if Jetty's been around for 7 years it is now 
authoritative. (On the contrary, 7 years ago things were a lot messier 
than now).

Grisha

Mime
View raw message