You are viewing a plain text version of this content. The canonical link for it is here.

Posted to httpclient-users@hc.apache.org by Duncan McGregor <du...@oneeyedmen.com> on 2004/11/06 17:59:41 UTC

Commas in cookie values

First thanks for an excellent product - it is making my current project
possible.

I am talking to a server (not mine, no control) which is sending headers such as

Set-Cookie:
SESSION_ID=11846295,QLtzbvdrgUo7GmXTn+PqCGLxVMsK3cXGg9a6SAKYFz0VMARnsz2lbg==;Pat
h=/

This is parsed by HeaderElement which has SEPARATORS with a comma. The net
result is that I am getting 2 cookies set, and obviously the webapp is
terminally confused when I send them back.

I've tried 3.0 alpha 2. That ends up with one good cookie, but is too unstable.

Do you have any advice? Is the server or client at fault, and, given that I
cannot control the former, can you suggest a workaround?

Thanks in anticipation.

Duncan Mc^Gregor
The name rings a bell
www.oneeyedmen.com
 

PS - link to mailing list subscribe at 
http://jakarta.apache.org/commons/httpclient/httpclient-user-subscribe@jakarta.a
pache.org

on page 
http://jakarta.apache.org/commons/httpclient/mail-lists.html

is broken. So please reply direct.




---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

Re: Commas in cookie values

Posted by Oleg Kalnichevski <ol...@apache.org>.

Duncan,
Comma is defined as a special character by the HTTP spec used to
separate HTTP header elements. Cookie values containing special
characters MUST be quoted. 

The cookie sent by the server clearly violates the cookie spec RFC2109.
The set-cookie header should have looked like that to be valid and
unambiguous 

SESSION_ID="11846295,QLtzbvdrgUo7GmXTn+PqCGLxVMsK3cXGg9a6SAKYFz0VMARnsz2lbg==";Path="/"

The browser compatibility policy will not help. Your only resort is the
NETSCAPE draft cookie policy of HttpClient 3.0, which is the only cookie
spec that permits commas in unquoted cookie values.

Hope this clarifies things a little

Oleg



On Sat, 2004-11-06 at 17:59, Duncan McGregor wrote:
> First thanks for an excellent product - it is making my current project
> possible.
> 
> I am talking to a server (not mine, no control) which is sending headers such as
> 
> Set-Cookie:
> SESSION_ID=11846295,QLtzbvdrgUo7GmXTn+PqCGLxVMsK3cXGg9a6SAKYFz0VMARnsz2lbg==;Pat
> h=/
> 
> This is parsed by HeaderElement which has SEPARATORS with a comma. The net
> result is that I am getting 2 cookies set, and obviously the webapp is
> terminally confused when I send them back.
> 
> I've tried 3.0 alpha 2. That ends up with one good cookie, but is too unstable.
> 
> Do you have any advice? Is the server or client at fault, and, given that I
> cannot control the former, can you suggest a workaround?
> 
> Thanks in anticipation.
> 
> Duncan Mc^Gregor
> The name rings a bell
> www.oneeyedmen.com
>  
> 
> PS - link to mailing list subscribe at 
> http://jakarta.apache.org/commons/httpclient/httpclient-user-subscribe@jakarta.a
> pache.org
> 
> on page 
> http://jakarta.apache.org/commons/httpclient/mail-lists.html
> 
> is broken. So please reply direct.
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

RE: Commas in cookie values

Posted by Duncan McGregor <du...@oneeyedmen.com>.

Thanks for the prompt response.

> The cookie sent by the server clearly violates the cookie spec RFC2109.

I agree that the header is wrong, but I'm not in any position to fix the server.

> Your only resort is the NETSCAPE draft cookie policy of HttpClient 3.0, which
is the only cookie spec that permits commas in unquoted cookie values.

I'll give that a go.

> In regard to HttpClient 3.0, it's actually pretty stable.  We plan to have a
beta release quite soon, and given lack of problems encountered so far we expect
a final release to come shortly after.

I had rejected 3.0 for not fetching a page that 2.0 was happy with, but it's
probably my misunderstanding. I'll work my way through it.

Thanks again.

Duncan




---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

Re: Commas in cookie values

Posted by Michael Becke <be...@u.washington.edu>.

Hi Duncan,

Have you tried using the cookie compatibility mode  
<http://jakarta.apache.org/commons/httpclient/cookies.html>?  This  
usually takes care of most issues.

In regard to HttpClient 3.0, it's actually pretty stable.  We plan to  
have a beta release quite soon, and given lack of problems encountered  
so far we expect a final release to come shortly after.

Also, thanks for pointing out the problem with the mailing list.  There  
seems to be a issue with how maven is generating this page.  I've  
manually fixed it for the time being.

Mike

On Nov 6, 2004, at 11:59 AM, Duncan McGregor wrote:

> First thanks for an excellent product - it is making my current project
> possible.
>
> I am talking to a server (not mine, no control) which is sending  
> headers such as
>
> Set-Cookie:
> SESSION_ID=11846295,QLtzbvdrgUo7GmXTn+PqCGLxVMsK3cXGg9a6SAKYFz0VMARnsz2 
> lbg==;Pat
> h=/
>
> This is parsed by HeaderElement which has SEPARATORS with a comma. The  
> net
> result is that I am getting 2 cookies set, and obviously the webapp is
> terminally confused when I send them back.
>
> I've tried 3.0 alpha 2. That ends up with one good cookie, but is too  
> unstable.
>
> Do you have any advice? Is the server or client at fault, and, given  
> that I
> cannot control the former, can you suggest a workaround?
>
> Thanks in anticipation.
>
> Duncan Mc^Gregor
> The name rings a bell
> www.oneeyedmen.com
>
>
> PS - link to mailing list subscribe at
> http://jakarta.apache.org/commons/httpclient/httpclient-user- 
> subscribe@jakarta.a
> pache.org
>
> on page
> http://jakarta.apache.org/commons/httpclient/mail-lists.html
>
> is broken. So please reply direct.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:  
> httpclient-user-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org