adding and editing response headers in conf

[Sorin Manolache <so...@gmail.com>]

Hello,

I have a content generator that sets a cookie on a domain. I know the
cookie name and the domain name, they never change. However the cookie
value and expiration time vary. I would like to add the cookie with
same name and value, and optionally the same expiration time to a
second domain. Is there a way to do it just by configuring apache and
its standard modules? I do not want to _edit_ the Set-Cookie header. I
want to _add_ a second Set-Cookie header that is identical to the
first with the exception of the domain.

Here's an example:

The content generator gives the response

Set-Cookie: cookie_name=cookie_value; domain=host.domain.net;
expires=Mon, 20 Jun 2011 10:00:00 GMT

I want the response

Set-Cookie: cookie_name=cookie_value; domain=host.domain.net;
expires=Mon, 20 Jun 2011 10:00:00 GMT
Set-Cookie: cookie_name=cookie_value; domain=.domain.net; expires=Mon,
20 Jun 2011 10:00:00 GMT

Can I get this response just by changing the configuration of apache?

"Header edit cookie_name(.*)domain=[^;]+(.*)
cookie_name$1domain=.domain.net$2" does not help as it only moves the
cookie from one domain to the other and I want it copied, not moved.


Thank you,
Sorin

Re: adding and editing response headers in conf

[Joe Lewis <jl...@silverhawk.net>]

On Thu, 2011-06-16 at 18:57 +0200, Sorin Manolache wrote:

> On Thu, Jun 16, 2011 at 18:41, Joe Lewis <jl...@silverhawk.net> wrote:
> > On Thu, 2011-06-16 at 12:32 -0400, Shawn Ligocki wrote:
> >
> >> On Thu, Jun 16, 2011 at 11:57 AM, Joe Lewis <jl...@silverhawk.net> wrote:
> >>
> >> > On Thu, 2011-06-16 at 17:46 +0200, Sorin Manolache wrote:
> >> >
> >> > >
> >> > > Can I get this response just by changing the configuration of apache?
> >> > >
> >> > > "Header edit cookie_name(.*)domain=[^;]+(.*)
> >> > > cookie_name$1domain=.domain.net$2" does not help as it only moves the
> >> > > cookie from one domain to the other and I want it copied, not moved.
> >> >
> >> >
> >> > That is really how it should be.  A second header of the same name isn't
> >> > really allowed in the specification.
> >>
> >>
> >> I believe the HTTP spec does allow multiple Set-Cookie HTTP headers:
> >>
> >> From RFC 2616, Section
> >> 4.2<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.2.p.5>
> >> :
> >>
> >> Multiple message-header fields with the same field-name *may* be present in
> >> > a message if and only if the entire field-value for that header field is
> >> > defined as a comma-separated list [i.e., #(values)]. It *must* be possible
> >> > to combine the multiple header fields into one "field-name: field-value"
> >> > pair, without changing the semantics of the message, by appending each
> >> > subsequent field-value to the first, each separated by a comma. The order in
> >> > which header fields with the same field-name are received is therefore
> >> > significant to the interpretation of the combined field value, and thus a
> >> > proxy *must not* change the order of these field values when a message is
> >> > forwarded.
> >
> >
> > Sorin, there is your answer.  Set the header to a single value
> > containing both cookies.  Thanks, Shawn!
> 
> Thanks, I've tried, but it does not work.
> 
> First, Firefox seems to simply ignore the second cookie. I do
> "Set-Cookie: a=1,b=2" and I see only a=1 in my cookie collection.
> 
> Second, there's the problem with "expires". Typically its syntax is
> "Mon, 15-Aug-2011 10:00:00 GMT", i.e. it contains a comma. So I think
> that Set-Cookie does not satisfy the condition "It *must* be possible
> to combine the multiple header fields into one "field-name:
> field-value" pair, without changing the semantics of the message"
> 
> Sorin


That's the Netscape spec, and a lot of browsers (Firefox by nature is in
this category due to it's ancestry) choose to implement that.  If the
comma doesn't work, you might have to resort to the javascript or the
location bounce to get the second header.

The problem with the native C approaches to adding a second header is
that it uses the apr_table_* functions, which overwrite what is in there
when a "new" one is set.

Joe
-- 
Director - Systems Administration
http://www.silverhawk.net/

Re: adding and editing response headers in conf

[Sorin Manolache <so...@gmail.com>]

On Thu, Jun 16, 2011 at 18:41, Joe Lewis <jl...@silverhawk.net> wrote:
> On Thu, 2011-06-16 at 12:32 -0400, Shawn Ligocki wrote:
>
>> On Thu, Jun 16, 2011 at 11:57 AM, Joe Lewis <jl...@silverhawk.net> wrote:
>>
>> > On Thu, 2011-06-16 at 17:46 +0200, Sorin Manolache wrote:
>> >
>> > >
>> > > Can I get this response just by changing the configuration of apache?
>> > >
>> > > "Header edit cookie_name(.*)domain=[^;]+(.*)
>> > > cookie_name$1domain=.domain.net$2" does not help as it only moves the
>> > > cookie from one domain to the other and I want it copied, not moved.
>> >
>> >
>> > That is really how it should be.  A second header of the same name isn't
>> > really allowed in the specification.
>>
>>
>> I believe the HTTP spec does allow multiple Set-Cookie HTTP headers:
>>
>> From RFC 2616, Section
>> 4.2<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.2.p.5>
>> :
>>
>> Multiple message-header fields with the same field-name *may* be present in
>> > a message if and only if the entire field-value for that header field is
>> > defined as a comma-separated list [i.e., #(values)]. It *must* be possible
>> > to combine the multiple header fields into one "field-name: field-value"
>> > pair, without changing the semantics of the message, by appending each
>> > subsequent field-value to the first, each separated by a comma. The order in
>> > which header fields with the same field-name are received is therefore
>> > significant to the interpretation of the combined field value, and thus a
>> > proxy *must not* change the order of these field values when a message is
>> > forwarded.
>
>
> Sorin, there is your answer.  Set the header to a single value
> containing both cookies.  Thanks, Shawn!

Thanks, I've tried, but it does not work.

First, Firefox seems to simply ignore the second cookie. I do
"Set-Cookie: a=1,b=2" and I see only a=1 in my cookie collection.

Second, there's the problem with "expires". Typically its syntax is
"Mon, 15-Aug-2011 10:00:00 GMT", i.e. it contains a comma. So I think
that Set-Cookie does not satisfy the condition "It *must* be possible
to combine the multiple header fields into one "field-name:
field-value" pair, without changing the semantics of the message"

Sorin

Re: adding and editing response headers in conf

[Joe Lewis <jl...@silverhawk.net>]

On Thu, 2011-06-16 at 12:32 -0400, Shawn Ligocki wrote:

> On Thu, Jun 16, 2011 at 11:57 AM, Joe Lewis <jl...@silverhawk.net> wrote:
> 
> > On Thu, 2011-06-16 at 17:46 +0200, Sorin Manolache wrote:
> >
> > > 
> > > Can I get this response just by changing the configuration of apache?
> > >
> > > "Header edit cookie_name(.*)domain=[^;]+(.*)
> > > cookie_name$1domain=.domain.net$2" does not help as it only moves the
> > > cookie from one domain to the other and I want it copied, not moved.
> >
> >
> > That is really how it should be.  A second header of the same name isn't
> > really allowed in the specification.
> 
> 
> I believe the HTTP spec does allow multiple Set-Cookie HTTP headers:
> 
> From RFC 2616, Section
> 4.2<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.2.p.5>
> :
> 
> Multiple message-header fields with the same field-name *may* be present in
> > a message if and only if the entire field-value for that header field is
> > defined as a comma-separated list [i.e., #(values)]. It *must* be possible
> > to combine the multiple header fields into one "field-name: field-value"
> > pair, without changing the semantics of the message, by appending each
> > subsequent field-value to the first, each separated by a comma. The order in
> > which header fields with the same field-name are received is therefore
> > significant to the interpretation of the combined field value, and thus a
> > proxy *must not* change the order of these field values when a message is
> > forwarded.


Sorin, there is your answer.  Set the header to a single value
containing both cookies.  Thanks, Shawn!

Joe
-- 
Director - Systems Administration
http://www.silverhawk.net/

Re: adding and editing response headers in conf

[Shawn Ligocki <sl...@google.com>]

On Thu, Jun 16, 2011 at 11:57 AM, Joe Lewis <jl...@silverhawk.net> wrote:

> On Thu, 2011-06-16 at 17:46 +0200, Sorin Manolache wrote:
>
> > Hello,
> >
> > I have a content generator that sets a cookie on a domain. I know the
> > cookie name and the domain name, they never change. However the cookie
> > value and expiration time vary. I would like to add the cookie with
> > same name and value, and optionally the same expiration time to a
> > second domain. Is there a way to do it just by configuring apache and
> > its standard modules? I do not want to _edit_ the Set-Cookie header. I
> > want to _add_ a second Set-Cookie header that is identical to the
> > first with the exception of the domain.
> >
> > Here's an example:
> >
> > The content generator gives the response
> >
> > Set-Cookie: cookie_name=cookie_value; domain=host.domain.net;
> > expires=Mon, 20 Jun 2011 10:00:00 GMT
> >
> > I want the response
> >
> > Set-Cookie: cookie_name=cookie_value; domain=host.domain.net;
> > expires=Mon, 20 Jun 2011 10:00:00 GMT
> > Set-Cookie: cookie_name=cookie_value; domain=.domain.net; expires=Mon,
> > 20 Jun 2011 10:00:00 GMT
> >
> > Can I get this response just by changing the configuration of apache?
> >
> > "Header edit cookie_name(.*)domain=[^;]+(.*)
> > cookie_name$1domain=.domain.net$2" does not help as it only moves the
> > cookie from one domain to the other and I want it copied, not moved.
>
>
> That is really how it should be.  A second header of the same name isn't
> really allowed in the specification.


I believe the HTTP spec does allow multiple Set-Cookie HTTP headers:

>From RFC 2616, Section
4.2<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.2.p.5>
:

Multiple message-header fields with the same field-name *may* be present in
> a message if and only if the entire field-value for that header field is
> defined as a comma-separated list [i.e., #(values)]. It *must* be possible
> to combine the multiple header fields into one "field-name: field-value"
> pair, without changing the semantics of the message, by appending each
> subsequent field-value to the first, each separated by a comma. The order in
> which header fields with the same field-name are received is therefore
> significant to the interpretation of the combined field value, and thus a
> proxy *must not* change the order of these field values when a message is
> forwarded.


Furthermore, from RFC 2109, Section 4.2.1<http://www.ietf.org/rfc/rfc2109.txt>
:

An origin server may include multiple Set-Cookie headers in a response. Note
> that an intervening gateway could fold multiple such headers into a single
> header.


Cheers,
-Shawn

I realize that some CGI tools
> successfully add it in, and browsers do try to handle multiples, but it
> isn't supposed to happen.
>
> Two viable options :
>
> Print one header with a 302 in order to force the browser to make a
> second request that we can get the other cookie into.
>
> Respond with javascript that sets the cookie for the second domain.
>
> Joe
> --
> Director - Systems Administration
> http://www.silverhawk.net/
>

Re: adding and editing response headers in conf

[Joe Lewis <jl...@silverhawk.net>]

On Thu, 2011-06-16 at 17:46 +0200, Sorin Manolache wrote:

> Hello,
> 
> I have a content generator that sets a cookie on a domain. I know the
> cookie name and the domain name, they never change. However the cookie
> value and expiration time vary. I would like to add the cookie with
> same name and value, and optionally the same expiration time to a
> second domain. Is there a way to do it just by configuring apache and
> its standard modules? I do not want to _edit_ the Set-Cookie header. I
> want to _add_ a second Set-Cookie header that is identical to the
> first with the exception of the domain.
> 
> Here's an example:
> 
> The content generator gives the response
> 
> Set-Cookie: cookie_name=cookie_value; domain=host.domain.net;
> expires=Mon, 20 Jun 2011 10:00:00 GMT
> 
> I want the response
> 
> Set-Cookie: cookie_name=cookie_value; domain=host.domain.net;
> expires=Mon, 20 Jun 2011 10:00:00 GMT
> Set-Cookie: cookie_name=cookie_value; domain=.domain.net; expires=Mon,
> 20 Jun 2011 10:00:00 GMT
> 
> Can I get this response just by changing the configuration of apache?
> 
> "Header edit cookie_name(.*)domain=[^;]+(.*)
> cookie_name$1domain=.domain.net$2" does not help as it only moves the
> cookie from one domain to the other and I want it copied, not moved.


That is really how it should be.  A second header of the same name isn't
really allowed in the specification.  I realize that some CGI tools
successfully add it in, and browsers do try to handle multiples, but it
isn't supposed to happen.

Two viable options :

Print one header with a 302 in order to force the browser to make a
second request that we can get the other cookie into.

Respond with javascript that sets the cookie for the second domain.

Joe
-- 
Director - Systems Administration
http://www.silverhawk.net/