You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by bu...@apache.org on 2003/05/19 12:42:40 UTC

DO NOT REPLY [Bug 20031] New: - Set-Cookie header misinterpreted

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20031>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20031

Set-Cookie header misinterpreted

           Summary: Set-Cookie header misinterpreted
           Product: Commons
           Version: 2.0 Alpha 1
          Platform: PC
        OS/Version: Other
            Status: NEW
          Severity: Major
          Priority: Other
         Component: HttpClient
        AssignedTo: commons-httpclient-dev@jakarta.apache.org
        ReportedBy: lars.wunderlich@tui.de


Reading some Microsoft Expedia.de websites with HttpClient I found a strange disbehaviour between browser and Apache HttpClient interpretation of cookie header data from a website.
E.g. the IIS server at expedia.de serves the following cookie data:

Set-Cookie: user=v.3,EX01E6A0DF34$17$34201000$0B$B7$E94!G0.!5010$0E020$BF$31$B0$7D$DF$C2$EA9; Domain=.expedia.de; path=/

As defined in RFC document 2109 chapter 4.2.2 Cookie Syntax:
"Informally, the Set-Cookie response header comprises the token Set- Cookie:, followed by a comma-separated list of one or more cookies. Each cookie begins with a NAME=VALUE pair, followed by zero or more semi-colon-separated attribute-value pairs."

On the one hand the responsible parser in the commons HttpClient separates the String correctly at its commata and therefore creates two cookie data elements:
user=v.3
EX01E6A0DF34$17$34201000$0B$B7$E94!G0.!5010$0E020$BF$31$B0$7D$DF$C2$EA9=null

one the other hand the Microsoft InternetExplorer seems to interpret it as only one element with a comma inside:
user=v.3,EX01E6A0DF34$17$34201000$0B$B7$E94!G0.!5010$0E020$BF$31$B0$7D$DF$C2$EA9

Only taking a look at the first sentence the interpretation of the Apache parser is right,but taking a second look at the sentences "Each cookie begins with a NAME=VALUE pair..." is not taken into account by the Apache Parser.

You may decide this is not a bug, but IE 5.5 and Mozilla 1.4 seem to parse these cookie data fine.