You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Reinhard Pagitsch <re...@isis-papyrus.com> on 2008/10/20 09:17:35 UTC
HttpClient and cookies
Hello to all,
From our webserver I get a session cookie in the form
POSESSIONID="dfgsdfgsdg="
But the HTTPClient sends back the cookie in the form
POSESSIONID=dfgsdfgsdg=.
Therefore no authentication is done. Is there a way to configure the
HttpClient to send back
the session cookie as it is and do no modifications?
Thank you,
Reinhard
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Reinhard Pagitsch <re...@isis-papyrus.com>.
Thank you,
Reinhard
Oleg Kalnichevski wrote:
> On Tue, 2008-10-21 at 08:52 +0200, Reinhard Pagitsch wrote:
> > Hello Oleg,
> >
> > Please can you tell me how I have to implement this custom CookieSpec? I
> > am not really a Java programmer. The code I have is from a customer
> > who uses our Webserver with HttpClient, so I can tell him what he can do
> > in the meantime (until he will get a fix from us).
> >
> > Thank you,
> > Reinhard
> >
>
> You need to implement this interface
>
> http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpclient/cookie/CookieSpec.html
>
> or subclass CookieSpecBase and override #formatCookie* methods
>
> http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpclient/cookie/CookieSpecBase.html
>
> and then instruct HttpClient to use that custom spec as described here
>
> http://hc.apache.org/httpclient-3.x/cookies.html
>
> Oleg
>
> > Oleg Kalnichevski wrote:
> > > On Mon, 2008-10-20 at 09:17 +0200, Reinhard Pagitsch wrote:
> > > > Hello to all,
> > > >
> > > > From our webserver I get a session cookie in the form
> > > > POSESSIONID="dfgsdfgsdg="
> > > > But the HTTPClient sends back the cookie in the form
> > > > POSESSIONID=dfgsdfgsdg=.
> > > > Therefore no authentication is done. Is there a way to configure the
> > > > HttpClient to send back
> > > > the session cookie as it is and do no modifications?
> > > >
> > > > Thank you,
> > > > Reinhard
> > > >
> > >
> > > Reinhard,
> > >
> > > You have two options
> > > (1) fix the broken server side script
> > > (2) implement a custom CookieSpec that formats cookies in the way
> > > compatible with the broken server side script
> > >
> > > Oleg
> > >
> > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> > >
> > >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
>
--
Reinhard Pagitsch
IBA Team
ISIS Information Systems
Alter Wienerweg 12
A-2344 Ma. Enzersdorf, Austria
Phone: +43-2236-27551-219
Fax: +43-2236-21081
E-mail: reinhard.pagitsch@isis-papyrus.com
Product Support: +43-2236-27551-111
Open a support case via the ISIS Support Case Order Form:
http://www.isis-papyrus.com/e/pages/forms/2/hlorderform.html
Visit the ISIS Website: http://www.isis-papyrus.com
-----------------------------------------------------------------------
This e-mail is only intended for the recipient and not legally binding.
Unauthorised use, publication, reproduction or disclosure of the content
of this e-mail is not permitted. This email has been checked for known
viruses, but ISIS accepts no responsibility for malicious or
inappropriate content.
-----------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2008-10-21 at 08:52 +0200, Reinhard Pagitsch wrote:
> Hello Oleg,
>
> Please can you tell me how I have to implement this custom CookieSpec? I
> am not really a Java programmer. The code I have is from a customer
> who uses our Webserver with HttpClient, so I can tell him what he can do
> in the meantime (until he will get a fix from us).
>
> Thank you,
> Reinhard
>
You need to implement this interface
http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpclient/cookie/CookieSpec.html
or subclass CookieSpecBase and override #formatCookie* methods
http://hc.apache.org/httpclient-3.x/apidocs/org/apache/commons/httpclient/cookie/CookieSpecBase.html
and then instruct HttpClient to use that custom spec as described here
http://hc.apache.org/httpclient-3.x/cookies.html
Oleg
> Oleg Kalnichevski wrote:
> > On Mon, 2008-10-20 at 09:17 +0200, Reinhard Pagitsch wrote:
> > > Hello to all,
> > >
> > > From our webserver I get a session cookie in the form
> > > POSESSIONID="dfgsdfgsdg="
> > > But the HTTPClient sends back the cookie in the form
> > > POSESSIONID=dfgsdfgsdg=.
> > > Therefore no authentication is done. Is there a way to configure the
> > > HttpClient to send back
> > > the session cookie as it is and do no modifications?
> > >
> > > Thank you,
> > > Reinhard
> > >
> >
> > Reinhard,
> >
> > You have two options
> > (1) fix the broken server side script
> > (2) implement a custom CookieSpec that formats cookies in the way
> > compatible with the broken server side script
> >
> > Oleg
> >
> >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Reinhard Pagitsch <re...@isis-papyrus.com>.
Hello Oleg,
Please can you tell me how I have to implement this custom CookieSpec? I
am not really a Java programmer. The code I have is from a customer
who uses our Webserver with HttpClient, so I can tell him what he can do
in the meantime (until he will get a fix from us).
Thank you,
Reinhard
Oleg Kalnichevski wrote:
> On Mon, 2008-10-20 at 09:17 +0200, Reinhard Pagitsch wrote:
> > Hello to all,
> >
> > From our webserver I get a session cookie in the form
> > POSESSIONID="dfgsdfgsdg="
> > But the HTTPClient sends back the cookie in the form
> > POSESSIONID=dfgsdfgsdg=.
> > Therefore no authentication is done. Is there a way to configure the
> > HttpClient to send back
> > the session cookie as it is and do no modifications?
> >
> > Thank you,
> > Reinhard
> >
>
> Reinhard,
>
> You have two options
> (1) fix the broken server side script
> (2) implement a custom CookieSpec that formats cookies in the way
> compatible with the broken server side script
>
> Oleg
>
>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
>
--
Reinhard Pagitsch
IBA Team
ISIS Information Systems
Alter Wienerweg 12
A-2344 Ma. Enzersdorf, Austria
Phone: +43-2236-27551-219
Fax: +43-2236-21081
E-mail: reinhard.pagitsch@isis-papyrus.com
Product Support: +43-2236-27551-111
Open a support case via the ISIS Support Case Order Form:
http://www.isis-papyrus.com/e/pages/forms/2/hlorderform.html
Visit the ISIS Website: http://www.isis-papyrus.com
-----------------------------------------------------------------------
This e-mail is only intended for the recipient and not legally binding.
Unauthorised use, publication, reproduction or disclosure of the content
of this e-mail is not permitted. This email has been checked for known
viruses, but ISIS accepts no responsibility for malicious or
inappropriate content.
-----------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2008-10-20 at 09:17 +0200, Reinhard Pagitsch wrote:
> Hello to all,
>
> From our webserver I get a session cookie in the form
> POSESSIONID="dfgsdfgsdg="
> But the HTTPClient sends back the cookie in the form
> POSESSIONID=dfgsdfgsdg=.
> Therefore no authentication is done. Is there a way to configure the
> HttpClient to send back
> the session cookie as it is and do no modifications?
>
> Thank you,
> Reinhard
>
Reinhard,
You have two options
(1) fix the broken server side script
(2) implement a custom CookieSpec that formats cookies in the way
compatible with the broken server side script
Oleg
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2008-10-21 at 08:45 +0200, Reinhard Pagitsch wrote:
> Hello Joseph,
>
> But why my Browsers (FF and IE) are sending the cookies back
> "correctly"? Or the Browsers are also "broken"?
>
This is a _server_ side problem. This has nothing to do with browsers.
By the way all common browsers have to support non standard cookie
behaviors due to all those broken server side scripts in the wild.
So, fix things where the fix is due
Oleg
> Thank you,
> Reinhard
>
> Joseph Mocker wrote:
> > It sounds like your webserver, or whatever is generating & processing
> > the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> > quotes are reserved characters, they are not allowed in the cookie value.
> >
> > They say the cookie value can be either
> >
> > token | quoted-string
> >
> > where
> >
> > token = 1*<any CHAR except CTLs or tspecials>
> >
> > tspecials = "(" | ")" | "<" | ">" | "@"
> > | "," | ";" | ":" | "\" | <">
> > | "/" | "[" | "]" | "?" | "="
> > | "{" | "}" | SP | HT
> >
> > and
> >
> > quoted-string = ( <"> *(qdtext) <"> )
> >
> > qdtext = <any TEXT except <">>
> >
> >
> > So in your example, the quoted-string form is used, therefore the
> > quotes are not part of the cookie value.
> >
> > Perhaps one of the developers can comment?
> >
> > --joe
> >
> >
> > Reinhard Pagitsch wrote:
> >> Hello to all,
> >>
> >> From our webserver I get a session cookie in the form
> >> POSESSIONID="dfgsdfgsdg="
> >> But the HTTPClient sends back the cookie in the form
> >> POSESSIONID=dfgsdfgsdg=.
> >> Therefore no authentication is done. Is there a way to configure the
> >> HttpClient to send back
> >> the session cookie as it is and do no modifications?
> >>
> >> Thank you,
> >> Reinhard
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> >> For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Reinhard Pagitsch <re...@isis-papyrus.com>.
Hello Joseph,
But why my Browsers (FF and IE) are sending the cookies back
"correctly"? Or the Browsers are also "broken"?
Thank you,
Reinhard
Joseph Mocker wrote:
> It sounds like your webserver, or whatever is generating & processing
> the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> quotes are reserved characters, they are not allowed in the cookie value.
>
> They say the cookie value can be either
>
> token | quoted-string
>
> where
>
> token = 1*<any CHAR except CTLs or tspecials>
>
> tspecials = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
>
> and
>
> quoted-string = ( <"> *(qdtext) <"> )
>
> qdtext = <any TEXT except <">>
>
>
> So in your example, the quoted-string form is used, therefore the
> quotes are not part of the cookie value.
>
> Perhaps one of the developers can comment?
>
> --joe
>
>
> Reinhard Pagitsch wrote:
>> Hello to all,
>>
>> From our webserver I get a session cookie in the form
>> POSESSIONID="dfgsdfgsdg="
>> But the HTTPClient sends back the cookie in the form
>> POSESSIONID=dfgsdfgsdg=.
>> Therefore no authentication is done. Is there a way to configure the
>> HttpClient to send back
>> the session cookie as it is and do no modifications?
>>
>> Thank you,
>> Reinhard
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
--
Reinhard Pagitsch
IBA Team
ISIS Information Systems
Alter Wienerweg 12
A-2344 Ma. Enzersdorf, Austria
Phone: +43-2236-27551-219
Fax: +43-2236-21081
E-mail: reinhard.pagitsch@isis-papyrus.com
Product Support: +43-2236-27551-111
Open a support case via the ISIS Support Case Order Form:
http://www.isis-papyrus.com/e/pages/forms/2/hlorderform.html
Visit the ISIS Website: http://www.isis-papyrus.com
-----------------------------------------------------------------------
This e-mail is only intended for the recipient and not legally binding.
Unauthorised use, publication, reproduction or disclosure of the content
of this e-mail is not permitted. This email has been checked for known
viruses, but ISIS accepts no responsibility for malicious or
inappropriate content.
-----------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2008-10-22 at 19:15 +0100, sebb wrote:
> On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > On Wed, 2008-10-22 at 19:00 +0100, sebb wrote:
> > > On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > On Wed, 2008-10-22 at 11:52 +0100, sebb wrote:
> > > > > On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > > On Tue, 2008-10-21 at 20:50 +0100, sebb wrote:
> > > > > > > On 21/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > > > > On Tue, 2008-10-21 at 13:07 +0100, sebb wrote:
> > > > > > > > > On 20/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > > > > > > On Mon, 2008-10-20 at 09:42 -0700, Joseph Mocker wrote:
> > > > > > > > > > > It sounds like your webserver, or whatever is generating & processing
> > > > > > > > > > > the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> > > > > > > > > > > quotes are reserved characters, they are not allowed in the cookie value.
> > > > > > > > > > >
> > > > > > > > > > > They say the cookie value can be either
> > > > > > > > > > >
> > > > > > > > > > > token | quoted-string
> > > > > > > > > > >
> > > > > > > > > > > where
> > > > > > > > > > >
> > > > > > > > > > > token = 1*<any CHAR except CTLs or tspecials>
> > > > > > > > > > >
> > > > > > > > > > > tspecials = "(" | ")" | "<" | ">" | "@"
> > > > > > > > > > > | "," | ";" | ":" | "\" | <">
> > > > > > > > > > > | "/" | "[" | "]" | "?" | "="
> > > > > > > > > > > | "{" | "}" | SP | HT
> > > > > > > > > > >
> > > > > > > > > > > and
> > > > > > > > > > >
> > > > > > > > > > > quoted-string = ( <"> *(qdtext) <"> )
> > > > > > > > > > >
> > > > > > > > > > > qdtext = <any TEXT except <">>
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > So in your example, the quoted-string form is used, therefore the quotes
> > > > > > > > > > > are not part of the cookie value.
> > > > > > > > > > >
> > > > > > > > > > > Perhaps one of the developers can comment?
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Joe,
> > > > > > > > > >
> > > > > > > > > > I second that. The culprit is the broken server side script.
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > I agree that the quotes are not part of the value, however, I don't
> > > > > > > > > agree that the server is broken.
> > > > > > > > >
> > > > > > > > > RFC 2109 says that the cookie value can be a token, or a quoted
> > > > > > > > > string. Given that arbitrary white-space is allowed between tokens,
> > > > > > > > > quotes are required to preserve spaces and any other special
> > > > > > > > > characters.
> > > > > > > > >
> > > > > > > > > In this case the trailing "=" is not allowed in a plain token, but it
> > > > > > > > > is allowed in TEXT.
> > > > > > > > >
> > > > > > > > > RFC 2068 says:
> > > > > > > > >
> > > > > > > > > CTL = <any US-ASCII control character
> > > > > > > > > (octets 0 - 31) and DEL (127)>
> > > > > > > > >
> > > > > > > > > TEXT = <any OCTET except CTLs,
> > > > > > > > > but including LWS>
> > > > > > > > >
> > > > > > > > > So for example the value <Apache HttpClient> would need to be provided as:
> > > > > > > > >
> > > > > > > > > Set-Cookie: Product="Apache HttpClient"
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > and returned to the server as
> > > > > > > > >
> > > > > > > > > Cookie: Product="Apache HttpClient"
> > > > > > > > >
> > > > > > > > > Likewise, the value <dfgsdfgsdg=> needs to be quoted, both in the
> > > > > > > > > Set-Cookie and Cookie headers.
> > > > > > > > >
> > > > > > > > > It's not clear from RFC2108 whether user agents are allowed to strip
> > > > > > > > > quotes from values if the quotes are not necessary - i.e. where the
> > > > > > > > > value is a valid token - but it seems to me that user agents must not
> > > > > > > > > strip quotes which are required to ensure that the value is valid.
> > > > > > > > >
> > > > > > > > > As far as I can tell, the header:
> > > > > > > > >
> > > > > > > > > Cookie: POSESSIONID=dfgsdfgsdg=
> > > > > > > > >
> > > > > > > > > is not valid according to RFC2109 , because the trailing "=" is not
> > > > > > > > > valid in a token - it has to be quoted as in:
> > > > > > > > >
> > > > > > > > > Cookie: POSESSIONID="dfgsdfgsdg="
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Well, it is all nice and dandy, and I almost got convinced, but there is
> > > > > > > > one little detail. The Set-Cookie header in question violates both
> > > > > > > > RFC2109 and RFC2965 by not including the mandatory Version attribute.
> > > > > > >
> > > > > > > OK, I'd overlooked that detail.
> > > > > > >
> > > > > > > > Therefore, all well-behaved HTTP agents MUST treat that cookie as
> > > > > > > > Netscape compatible. As far as Netscape cookie draft is concerned the
> > > > > > > > following cookie is perfectly valid, as the spec does not impose any
> > > > > > > > restrictions on characters used in cookie values:
> > > > > > > >
> > > > > > > > Cookie: POSESSIONID=dfgsdfgsdg=
> > > > > > > >
> > > > > > >
> > > > > > > I found a copy of the Netscape draft at:
> > > > > > >
> > > > > > > http://curl.haxx.se/rfc/cookie_spec.html
> > > > > > >
> > > > > > > Which says:
> > > > > > >
> > > > > > > >>>
> > > > > > > Set-Cookie: NAME=VALUE; expires=DATE;
> > > > > > > path=PATH; domain=DOMAIN_NAME; secure
> > > > > > >
> > > > > > > NAME=VALUE
> > > > > > > This string is a sequence of characters excluding semi-colon, comma
> > > > > > > and white space. If there is a need to place such data in the name or
> > > > > > > value, some encoding method such as URL style %XX encoding is
> > > > > > > recommended, though no encoding is defined or required.
> > > > > > > <<<
> > > > > > >
> > > > > > > I read this as meaning that " (double-quote) is valid as a character
> > > > > > > in a Netscape cookie value.
> > > > > > >
> > > > > > > In which case I contend that the server is entitled to send the cookie
> > > > > > > value with quotes in it and to expect the quotes in the cookie to be
> > > > > > > returned by the user agent.
> > > > > >
> > > > > >
> > > > > > Netscape draft leaves a lot of room for different interpretations. I
> > > > > > certainly do not see any reason why the server should reject a cookie
> > > > > > without the quotes in the cookie value. To me, the server script is
> > > > > > still utterly broken.
> > > > > >
> > > > >
> > > > > My reading of the spec. suggests that the quotes are part of the
> > > > > value, in which case it is clearly an error to remove them, and the
> > > > > server is correct in not recognising the value.
> > > > >
> > > > > As far as I can tell, the Netscape draft does not allow for any form
> > > > > of quoting, therefore it is an error to assume that enclosing quotes
> > > > > can be removed.
> > > > >
> > > >
> > > >
> > > > I am not sure I can agree to that. I do not see anything in the draft
> > > > suggesting that quoting may be disallowed. Moreover, the draft clearly
> > > > states "some encoding method ... is recommended". To me, that clearly
> > > > includes quoting.
> > > >
> > >
> > > Quoting != encoding.
> > >
> >
> >
> > Why?
> >
>
> Not sure how to explain that. They both have the same goal - to ensure
> that the value is interpreted correctly - but the mechanism is
> different.
>
I respectfully disagree. Any transformation that disambiguates input is
encoding to me.
> >
> > > Besides, if there is quoting method then there needs to be a
> > > definition of what characters require quoting, and what the quoting
> > > character(s) are.
> > >
> >
> >
> > That is why I think Netscape draft is inherently ambiguous and Netscape
> > cookies ought to be avoided
> >
>
> Agreed the spec is ambiguous and incomplete.
>
> But HC purports to support Netscape cookies, and so should try to
> support the de facto behaviour of Netscape cookies.
>
I agree to that. What I cannot agree to is that one (in my opinion,
clearly broken) CGI script constitutes the de facto behaviour.
Anyway, feel free to make adjustments to the existing cookie specs you
deem necessary.
Oleg
> > Oleg
> >
> >
> >
> > > If we assume it follows RFC2109 in that regard, then "=" needs to be quoted.
> > >
> > > I guess it would be useful to know how the particular server behaves
> > > if there is no "=" in the cookie value. Likewise browsers.
> > >
> > > > Oleg
> > > >
> > > >
> > > > >
> > > > > >
> > > > > > Oleg
> > > > > >
> > > > > >
> > > > > > >
> > > > > > > > So, the server is _badly_ broken form the standpoint of both RFC2109 and
> > > > > > > > RFC2965, and on top of that it even messes up Netscape compatibility.
> > > > > > > >
> > > > > > >
> > > > > > > It may be broken in terms of the RFCs, but to me it seems to be OK as
> > > > > > > far as the Netscape spec is concerned.
> > > > > > >
> > > > > > > > Oleg
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Oleg
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > --joe
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Reinhard Pagitsch wrote:
> > > > > > > > > > > > Hello to all,
> > > > > > > > > > > >
> > > > > > > > > > > > From our webserver I get a session cookie in the form
> > > > > > > > > > > > POSESSIONID="dfgsdfgsdg="
> > > > > > > > > > > > But the HTTPClient sends back the cookie in the form
> > > > > > > > > > > > POSESSIONID=dfgsdfgsdg=.
> > > > > > > > > > > > Therefore no authentication is done. Is there a way to configure the
> > > > > > > > > > > > HttpClient to send back
> > > > > > > > > > > > the session cookie as it is and do no modifications?
> > > > > > > > > > > >
> > > > > > > > > > > > Thank you,
> > > > > > > > > > > > Reinhard
> > > > > > > > > > > >
> > > > > > > > > > > > ---------------------------------------------------------------------
> > > > > > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > ---------------------------------------------------------------------
> > > > > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > ---------------------------------------------------------------------
> > > > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > ---------------------------------------------------------------------
> > > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ---------------------------------------------------------------------
> > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > >
> > > > > >
> > > > > >
> > > > > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > >
> > > > > >
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > >
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by sebb <se...@gmail.com>.
On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Wed, 2008-10-22 at 19:00 +0100, sebb wrote:
> > On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > On Wed, 2008-10-22 at 11:52 +0100, sebb wrote:
> > > > On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > On Tue, 2008-10-21 at 20:50 +0100, sebb wrote:
> > > > > > On 21/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > > > On Tue, 2008-10-21 at 13:07 +0100, sebb wrote:
> > > > > > > > On 20/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > > > > > On Mon, 2008-10-20 at 09:42 -0700, Joseph Mocker wrote:
> > > > > > > > > > It sounds like your webserver, or whatever is generating & processing
> > > > > > > > > > the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> > > > > > > > > > quotes are reserved characters, they are not allowed in the cookie value.
> > > > > > > > > >
> > > > > > > > > > They say the cookie value can be either
> > > > > > > > > >
> > > > > > > > > > token | quoted-string
> > > > > > > > > >
> > > > > > > > > > where
> > > > > > > > > >
> > > > > > > > > > token = 1*<any CHAR except CTLs or tspecials>
> > > > > > > > > >
> > > > > > > > > > tspecials = "(" | ")" | "<" | ">" | "@"
> > > > > > > > > > | "," | ";" | ":" | "\" | <">
> > > > > > > > > > | "/" | "[" | "]" | "?" | "="
> > > > > > > > > > | "{" | "}" | SP | HT
> > > > > > > > > >
> > > > > > > > > > and
> > > > > > > > > >
> > > > > > > > > > quoted-string = ( <"> *(qdtext) <"> )
> > > > > > > > > >
> > > > > > > > > > qdtext = <any TEXT except <">>
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > So in your example, the quoted-string form is used, therefore the quotes
> > > > > > > > > > are not part of the cookie value.
> > > > > > > > > >
> > > > > > > > > > Perhaps one of the developers can comment?
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Joe,
> > > > > > > > >
> > > > > > > > > I second that. The culprit is the broken server side script.
> > > > > > > > >
> > > > > > > >
> > > > > > > > I agree that the quotes are not part of the value, however, I don't
> > > > > > > > agree that the server is broken.
> > > > > > > >
> > > > > > > > RFC 2109 says that the cookie value can be a token, or a quoted
> > > > > > > > string. Given that arbitrary white-space is allowed between tokens,
> > > > > > > > quotes are required to preserve spaces and any other special
> > > > > > > > characters.
> > > > > > > >
> > > > > > > > In this case the trailing "=" is not allowed in a plain token, but it
> > > > > > > > is allowed in TEXT.
> > > > > > > >
> > > > > > > > RFC 2068 says:
> > > > > > > >
> > > > > > > > CTL = <any US-ASCII control character
> > > > > > > > (octets 0 - 31) and DEL (127)>
> > > > > > > >
> > > > > > > > TEXT = <any OCTET except CTLs,
> > > > > > > > but including LWS>
> > > > > > > >
> > > > > > > > So for example the value <Apache HttpClient> would need to be provided as:
> > > > > > > >
> > > > > > > > Set-Cookie: Product="Apache HttpClient"
> > > > > > > >
> > > > > > > >
> > > > > > > > and returned to the server as
> > > > > > > >
> > > > > > > > Cookie: Product="Apache HttpClient"
> > > > > > > >
> > > > > > > > Likewise, the value <dfgsdfgsdg=> needs to be quoted, both in the
> > > > > > > > Set-Cookie and Cookie headers.
> > > > > > > >
> > > > > > > > It's not clear from RFC2108 whether user agents are allowed to strip
> > > > > > > > quotes from values if the quotes are not necessary - i.e. where the
> > > > > > > > value is a valid token - but it seems to me that user agents must not
> > > > > > > > strip quotes which are required to ensure that the value is valid.
> > > > > > > >
> > > > > > > > As far as I can tell, the header:
> > > > > > > >
> > > > > > > > Cookie: POSESSIONID=dfgsdfgsdg=
> > > > > > > >
> > > > > > > > is not valid according to RFC2109 , because the trailing "=" is not
> > > > > > > > valid in a token - it has to be quoted as in:
> > > > > > > >
> > > > > > > > Cookie: POSESSIONID="dfgsdfgsdg="
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Well, it is all nice and dandy, and I almost got convinced, but there is
> > > > > > > one little detail. The Set-Cookie header in question violates both
> > > > > > > RFC2109 and RFC2965 by not including the mandatory Version attribute.
> > > > > >
> > > > > > OK, I'd overlooked that detail.
> > > > > >
> > > > > > > Therefore, all well-behaved HTTP agents MUST treat that cookie as
> > > > > > > Netscape compatible. As far as Netscape cookie draft is concerned the
> > > > > > > following cookie is perfectly valid, as the spec does not impose any
> > > > > > > restrictions on characters used in cookie values:
> > > > > > >
> > > > > > > Cookie: POSESSIONID=dfgsdfgsdg=
> > > > > > >
> > > > > >
> > > > > > I found a copy of the Netscape draft at:
> > > > > >
> > > > > > http://curl.haxx.se/rfc/cookie_spec.html
> > > > > >
> > > > > > Which says:
> > > > > >
> > > > > > >>>
> > > > > > Set-Cookie: NAME=VALUE; expires=DATE;
> > > > > > path=PATH; domain=DOMAIN_NAME; secure
> > > > > >
> > > > > > NAME=VALUE
> > > > > > This string is a sequence of characters excluding semi-colon, comma
> > > > > > and white space. If there is a need to place such data in the name or
> > > > > > value, some encoding method such as URL style %XX encoding is
> > > > > > recommended, though no encoding is defined or required.
> > > > > > <<<
> > > > > >
> > > > > > I read this as meaning that " (double-quote) is valid as a character
> > > > > > in a Netscape cookie value.
> > > > > >
> > > > > > In which case I contend that the server is entitled to send the cookie
> > > > > > value with quotes in it and to expect the quotes in the cookie to be
> > > > > > returned by the user agent.
> > > > >
> > > > >
> > > > > Netscape draft leaves a lot of room for different interpretations. I
> > > > > certainly do not see any reason why the server should reject a cookie
> > > > > without the quotes in the cookie value. To me, the server script is
> > > > > still utterly broken.
> > > > >
> > > >
> > > > My reading of the spec. suggests that the quotes are part of the
> > > > value, in which case it is clearly an error to remove them, and the
> > > > server is correct in not recognising the value.
> > > >
> > > > As far as I can tell, the Netscape draft does not allow for any form
> > > > of quoting, therefore it is an error to assume that enclosing quotes
> > > > can be removed.
> > > >
> > >
> > >
> > > I am not sure I can agree to that. I do not see anything in the draft
> > > suggesting that quoting may be disallowed. Moreover, the draft clearly
> > > states "some encoding method ... is recommended". To me, that clearly
> > > includes quoting.
> > >
> >
> > Quoting != encoding.
> >
>
>
> Why?
>
Not sure how to explain that. They both have the same goal - to ensure
that the value is interpreted correctly - but the mechanism is
different.
>
> > Besides, if there is quoting method then there needs to be a
> > definition of what characters require quoting, and what the quoting
> > character(s) are.
> >
>
>
> That is why I think Netscape draft is inherently ambiguous and Netscape
> cookies ought to be avoided
>
Agreed the spec is ambiguous and incomplete.
But HC purports to support Netscape cookies, and so should try to
support the de facto behaviour of Netscape cookies.
> Oleg
>
>
>
> > If we assume it follows RFC2109 in that regard, then "=" needs to be quoted.
> >
> > I guess it would be useful to know how the particular server behaves
> > if there is no "=" in the cookie value. Likewise browsers.
> >
> > > Oleg
> > >
> > >
> > > >
> > > > >
> > > > > Oleg
> > > > >
> > > > >
> > > > > >
> > > > > > > So, the server is _badly_ broken form the standpoint of both RFC2109 and
> > > > > > > RFC2965, and on top of that it even messes up Netscape compatibility.
> > > > > > >
> > > > > >
> > > > > > It may be broken in terms of the RFCs, but to me it seems to be OK as
> > > > > > far as the Netscape spec is concerned.
> > > > > >
> > > > > > > Oleg
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > >
> > > > > > > > > Oleg
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > --joe
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Reinhard Pagitsch wrote:
> > > > > > > > > > > Hello to all,
> > > > > > > > > > >
> > > > > > > > > > > From our webserver I get a session cookie in the form
> > > > > > > > > > > POSESSIONID="dfgsdfgsdg="
> > > > > > > > > > > But the HTTPClient sends back the cookie in the form
> > > > > > > > > > > POSESSIONID=dfgsdfgsdg=.
> > > > > > > > > > > Therefore no authentication is done. Is there a way to configure the
> > > > > > > > > > > HttpClient to send back
> > > > > > > > > > > the session cookie as it is and do no modifications?
> > > > > > > > > > >
> > > > > > > > > > > Thank you,
> > > > > > > > > > > Reinhard
> > > > > > > > > > >
> > > > > > > > > > > ---------------------------------------------------------------------
> > > > > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > ---------------------------------------------------------------------
> > > > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > ---------------------------------------------------------------------
> > > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > > ---------------------------------------------------------------------
> > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > >
> > > > >
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > >
> > > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2008-10-22 at 19:00 +0100, sebb wrote:
> On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > On Wed, 2008-10-22 at 11:52 +0100, sebb wrote:
> > > On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > On Tue, 2008-10-21 at 20:50 +0100, sebb wrote:
> > > > > On 21/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > > On Tue, 2008-10-21 at 13:07 +0100, sebb wrote:
> > > > > > > On 20/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > > > > On Mon, 2008-10-20 at 09:42 -0700, Joseph Mocker wrote:
> > > > > > > > > It sounds like your webserver, or whatever is generating & processing
> > > > > > > > > the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> > > > > > > > > quotes are reserved characters, they are not allowed in the cookie value.
> > > > > > > > >
> > > > > > > > > They say the cookie value can be either
> > > > > > > > >
> > > > > > > > > token | quoted-string
> > > > > > > > >
> > > > > > > > > where
> > > > > > > > >
> > > > > > > > > token = 1*<any CHAR except CTLs or tspecials>
> > > > > > > > >
> > > > > > > > > tspecials = "(" | ")" | "<" | ">" | "@"
> > > > > > > > > | "," | ";" | ":" | "\" | <">
> > > > > > > > > | "/" | "[" | "]" | "?" | "="
> > > > > > > > > | "{" | "}" | SP | HT
> > > > > > > > >
> > > > > > > > > and
> > > > > > > > >
> > > > > > > > > quoted-string = ( <"> *(qdtext) <"> )
> > > > > > > > >
> > > > > > > > > qdtext = <any TEXT except <">>
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > So in your example, the quoted-string form is used, therefore the quotes
> > > > > > > > > are not part of the cookie value.
> > > > > > > > >
> > > > > > > > > Perhaps one of the developers can comment?
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Joe,
> > > > > > > >
> > > > > > > > I second that. The culprit is the broken server side script.
> > > > > > > >
> > > > > > >
> > > > > > > I agree that the quotes are not part of the value, however, I don't
> > > > > > > agree that the server is broken.
> > > > > > >
> > > > > > > RFC 2109 says that the cookie value can be a token, or a quoted
> > > > > > > string. Given that arbitrary white-space is allowed between tokens,
> > > > > > > quotes are required to preserve spaces and any other special
> > > > > > > characters.
> > > > > > >
> > > > > > > In this case the trailing "=" is not allowed in a plain token, but it
> > > > > > > is allowed in TEXT.
> > > > > > >
> > > > > > > RFC 2068 says:
> > > > > > >
> > > > > > > CTL = <any US-ASCII control character
> > > > > > > (octets 0 - 31) and DEL (127)>
> > > > > > >
> > > > > > > TEXT = <any OCTET except CTLs,
> > > > > > > but including LWS>
> > > > > > >
> > > > > > > So for example the value <Apache HttpClient> would need to be provided as:
> > > > > > >
> > > > > > > Set-Cookie: Product="Apache HttpClient"
> > > > > > >
> > > > > > >
> > > > > > > and returned to the server as
> > > > > > >
> > > > > > > Cookie: Product="Apache HttpClient"
> > > > > > >
> > > > > > > Likewise, the value <dfgsdfgsdg=> needs to be quoted, both in the
> > > > > > > Set-Cookie and Cookie headers.
> > > > > > >
> > > > > > > It's not clear from RFC2108 whether user agents are allowed to strip
> > > > > > > quotes from values if the quotes are not necessary - i.e. where the
> > > > > > > value is a valid token - but it seems to me that user agents must not
> > > > > > > strip quotes which are required to ensure that the value is valid.
> > > > > > >
> > > > > > > As far as I can tell, the header:
> > > > > > >
> > > > > > > Cookie: POSESSIONID=dfgsdfgsdg=
> > > > > > >
> > > > > > > is not valid according to RFC2109 , because the trailing "=" is not
> > > > > > > valid in a token - it has to be quoted as in:
> > > > > > >
> > > > > > > Cookie: POSESSIONID="dfgsdfgsdg="
> > > > > > >
> > > > > >
> > > > > >
> > > > > > Well, it is all nice and dandy, and I almost got convinced, but there is
> > > > > > one little detail. The Set-Cookie header in question violates both
> > > > > > RFC2109 and RFC2965 by not including the mandatory Version attribute.
> > > > >
> > > > > OK, I'd overlooked that detail.
> > > > >
> > > > > > Therefore, all well-behaved HTTP agents MUST treat that cookie as
> > > > > > Netscape compatible. As far as Netscape cookie draft is concerned the
> > > > > > following cookie is perfectly valid, as the spec does not impose any
> > > > > > restrictions on characters used in cookie values:
> > > > > >
> > > > > > Cookie: POSESSIONID=dfgsdfgsdg=
> > > > > >
> > > > >
> > > > > I found a copy of the Netscape draft at:
> > > > >
> > > > > http://curl.haxx.se/rfc/cookie_spec.html
> > > > >
> > > > > Which says:
> > > > >
> > > > > >>>
> > > > > Set-Cookie: NAME=VALUE; expires=DATE;
> > > > > path=PATH; domain=DOMAIN_NAME; secure
> > > > >
> > > > > NAME=VALUE
> > > > > This string is a sequence of characters excluding semi-colon, comma
> > > > > and white space. If there is a need to place such data in the name or
> > > > > value, some encoding method such as URL style %XX encoding is
> > > > > recommended, though no encoding is defined or required.
> > > > > <<<
> > > > >
> > > > > I read this as meaning that " (double-quote) is valid as a character
> > > > > in a Netscape cookie value.
> > > > >
> > > > > In which case I contend that the server is entitled to send the cookie
> > > > > value with quotes in it and to expect the quotes in the cookie to be
> > > > > returned by the user agent.
> > > >
> > > >
> > > > Netscape draft leaves a lot of room for different interpretations. I
> > > > certainly do not see any reason why the server should reject a cookie
> > > > without the quotes in the cookie value. To me, the server script is
> > > > still utterly broken.
> > > >
> > >
> > > My reading of the spec. suggests that the quotes are part of the
> > > value, in which case it is clearly an error to remove them, and the
> > > server is correct in not recognising the value.
> > >
> > > As far as I can tell, the Netscape draft does not allow for any form
> > > of quoting, therefore it is an error to assume that enclosing quotes
> > > can be removed.
> > >
> >
> >
> > I am not sure I can agree to that. I do not see anything in the draft
> > suggesting that quoting may be disallowed. Moreover, the draft clearly
> > states "some encoding method ... is recommended". To me, that clearly
> > includes quoting.
> >
>
> Quoting != encoding.
>
Why?
> Besides, if there is quoting method then there needs to be a
> definition of what characters require quoting, and what the quoting
> character(s) are.
>
That is why I think Netscape draft is inherently ambiguous and Netscape
cookies ought to be avoided
Oleg
> If we assume it follows RFC2109 in that regard, then "=" needs to be quoted.
>
> I guess it would be useful to know how the particular server behaves
> if there is no "=" in the cookie value. Likewise browsers.
>
> > Oleg
> >
> >
> > >
> > > >
> > > > Oleg
> > > >
> > > >
> > > > >
> > > > > > So, the server is _badly_ broken form the standpoint of both RFC2109 and
> > > > > > RFC2965, and on top of that it even messes up Netscape compatibility.
> > > > > >
> > > > >
> > > > > It may be broken in terms of the RFCs, but to me it seems to be OK as
> > > > > far as the Netscape spec is concerned.
> > > > >
> > > > > > Oleg
> > > > > >
> > > > > >
> > > > > >
> > > > > > > >
> > > > > > > > Oleg
> > > > > > > >
> > > > > > > >
> > > > > > > > > --joe
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Reinhard Pagitsch wrote:
> > > > > > > > > > Hello to all,
> > > > > > > > > >
> > > > > > > > > > From our webserver I get a session cookie in the form
> > > > > > > > > > POSESSIONID="dfgsdfgsdg="
> > > > > > > > > > But the HTTPClient sends back the cookie in the form
> > > > > > > > > > POSESSIONID=dfgsdfgsdg=.
> > > > > > > > > > Therefore no authentication is done. Is there a way to configure the
> > > > > > > > > > HttpClient to send back
> > > > > > > > > > the session cookie as it is and do no modifications?
> > > > > > > > > >
> > > > > > > > > > Thank you,
> > > > > > > > > > Reinhard
> > > > > > > > > >
> > > > > > > > > > ---------------------------------------------------------------------
> > > > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > ---------------------------------------------------------------------
> > > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ---------------------------------------------------------------------
> > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > >
> > > > > >
> > > > > >
> > > > > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > >
> > > > > >
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > >
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by sebb <se...@gmail.com>.
On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Wed, 2008-10-22 at 11:52 +0100, sebb wrote:
> > On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > On Tue, 2008-10-21 at 20:50 +0100, sebb wrote:
> > > > On 21/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > On Tue, 2008-10-21 at 13:07 +0100, sebb wrote:
> > > > > > On 20/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > > > On Mon, 2008-10-20 at 09:42 -0700, Joseph Mocker wrote:
> > > > > > > > It sounds like your webserver, or whatever is generating & processing
> > > > > > > > the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> > > > > > > > quotes are reserved characters, they are not allowed in the cookie value.
> > > > > > > >
> > > > > > > > They say the cookie value can be either
> > > > > > > >
> > > > > > > > token | quoted-string
> > > > > > > >
> > > > > > > > where
> > > > > > > >
> > > > > > > > token = 1*<any CHAR except CTLs or tspecials>
> > > > > > > >
> > > > > > > > tspecials = "(" | ")" | "<" | ">" | "@"
> > > > > > > > | "," | ";" | ":" | "\" | <">
> > > > > > > > | "/" | "[" | "]" | "?" | "="
> > > > > > > > | "{" | "}" | SP | HT
> > > > > > > >
> > > > > > > > and
> > > > > > > >
> > > > > > > > quoted-string = ( <"> *(qdtext) <"> )
> > > > > > > >
> > > > > > > > qdtext = <any TEXT except <">>
> > > > > > > >
> > > > > > > >
> > > > > > > > So in your example, the quoted-string form is used, therefore the quotes
> > > > > > > > are not part of the cookie value.
> > > > > > > >
> > > > > > > > Perhaps one of the developers can comment?
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Joe,
> > > > > > >
> > > > > > > I second that. The culprit is the broken server side script.
> > > > > > >
> > > > > >
> > > > > > I agree that the quotes are not part of the value, however, I don't
> > > > > > agree that the server is broken.
> > > > > >
> > > > > > RFC 2109 says that the cookie value can be a token, or a quoted
> > > > > > string. Given that arbitrary white-space is allowed between tokens,
> > > > > > quotes are required to preserve spaces and any other special
> > > > > > characters.
> > > > > >
> > > > > > In this case the trailing "=" is not allowed in a plain token, but it
> > > > > > is allowed in TEXT.
> > > > > >
> > > > > > RFC 2068 says:
> > > > > >
> > > > > > CTL = <any US-ASCII control character
> > > > > > (octets 0 - 31) and DEL (127)>
> > > > > >
> > > > > > TEXT = <any OCTET except CTLs,
> > > > > > but including LWS>
> > > > > >
> > > > > > So for example the value <Apache HttpClient> would need to be provided as:
> > > > > >
> > > > > > Set-Cookie: Product="Apache HttpClient"
> > > > > >
> > > > > >
> > > > > > and returned to the server as
> > > > > >
> > > > > > Cookie: Product="Apache HttpClient"
> > > > > >
> > > > > > Likewise, the value <dfgsdfgsdg=> needs to be quoted, both in the
> > > > > > Set-Cookie and Cookie headers.
> > > > > >
> > > > > > It's not clear from RFC2108 whether user agents are allowed to strip
> > > > > > quotes from values if the quotes are not necessary - i.e. where the
> > > > > > value is a valid token - but it seems to me that user agents must not
> > > > > > strip quotes which are required to ensure that the value is valid.
> > > > > >
> > > > > > As far as I can tell, the header:
> > > > > >
> > > > > > Cookie: POSESSIONID=dfgsdfgsdg=
> > > > > >
> > > > > > is not valid according to RFC2109 , because the trailing "=" is not
> > > > > > valid in a token - it has to be quoted as in:
> > > > > >
> > > > > > Cookie: POSESSIONID="dfgsdfgsdg="
> > > > > >
> > > > >
> > > > >
> > > > > Well, it is all nice and dandy, and I almost got convinced, but there is
> > > > > one little detail. The Set-Cookie header in question violates both
> > > > > RFC2109 and RFC2965 by not including the mandatory Version attribute.
> > > >
> > > > OK, I'd overlooked that detail.
> > > >
> > > > > Therefore, all well-behaved HTTP agents MUST treat that cookie as
> > > > > Netscape compatible. As far as Netscape cookie draft is concerned the
> > > > > following cookie is perfectly valid, as the spec does not impose any
> > > > > restrictions on characters used in cookie values:
> > > > >
> > > > > Cookie: POSESSIONID=dfgsdfgsdg=
> > > > >
> > > >
> > > > I found a copy of the Netscape draft at:
> > > >
> > > > http://curl.haxx.se/rfc/cookie_spec.html
> > > >
> > > > Which says:
> > > >
> > > > >>>
> > > > Set-Cookie: NAME=VALUE; expires=DATE;
> > > > path=PATH; domain=DOMAIN_NAME; secure
> > > >
> > > > NAME=VALUE
> > > > This string is a sequence of characters excluding semi-colon, comma
> > > > and white space. If there is a need to place such data in the name or
> > > > value, some encoding method such as URL style %XX encoding is
> > > > recommended, though no encoding is defined or required.
> > > > <<<
> > > >
> > > > I read this as meaning that " (double-quote) is valid as a character
> > > > in a Netscape cookie value.
> > > >
> > > > In which case I contend that the server is entitled to send the cookie
> > > > value with quotes in it and to expect the quotes in the cookie to be
> > > > returned by the user agent.
> > >
> > >
> > > Netscape draft leaves a lot of room for different interpretations. I
> > > certainly do not see any reason why the server should reject a cookie
> > > without the quotes in the cookie value. To me, the server script is
> > > still utterly broken.
> > >
> >
> > My reading of the spec. suggests that the quotes are part of the
> > value, in which case it is clearly an error to remove them, and the
> > server is correct in not recognising the value.
> >
> > As far as I can tell, the Netscape draft does not allow for any form
> > of quoting, therefore it is an error to assume that enclosing quotes
> > can be removed.
> >
>
>
> I am not sure I can agree to that. I do not see anything in the draft
> suggesting that quoting may be disallowed. Moreover, the draft clearly
> states "some encoding method ... is recommended". To me, that clearly
> includes quoting.
>
Quoting != encoding.
Besides, if there is quoting method then there needs to be a
definition of what characters require quoting, and what the quoting
character(s) are.
If we assume it follows RFC2109 in that regard, then "=" needs to be quoted.
I guess it would be useful to know how the particular server behaves
if there is no "=" in the cookie value. Likewise browsers.
> Oleg
>
>
> >
> > >
> > > Oleg
> > >
> > >
> > > >
> > > > > So, the server is _badly_ broken form the standpoint of both RFC2109 and
> > > > > RFC2965, and on top of that it even messes up Netscape compatibility.
> > > > >
> > > >
> > > > It may be broken in terms of the RFCs, but to me it seems to be OK as
> > > > far as the Netscape spec is concerned.
> > > >
> > > > > Oleg
> > > > >
> > > > >
> > > > >
> > > > > > >
> > > > > > > Oleg
> > > > > > >
> > > > > > >
> > > > > > > > --joe
> > > > > > > >
> > > > > > > >
> > > > > > > > Reinhard Pagitsch wrote:
> > > > > > > > > Hello to all,
> > > > > > > > >
> > > > > > > > > From our webserver I get a session cookie in the form
> > > > > > > > > POSESSIONID="dfgsdfgsdg="
> > > > > > > > > But the HTTPClient sends back the cookie in the form
> > > > > > > > > POSESSIONID=dfgsdfgsdg=.
> > > > > > > > > Therefore no authentication is done. Is there a way to configure the
> > > > > > > > > HttpClient to send back
> > > > > > > > > the session cookie as it is and do no modifications?
> > > > > > > > >
> > > > > > > > > Thank you,
> > > > > > > > > Reinhard
> > > > > > > > >
> > > > > > > > > ---------------------------------------------------------------------
> > > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ---------------------------------------------------------------------
> > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > >
> > > > >
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > >
> > > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2008-10-22 at 11:52 +0100, sebb wrote:
> On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > On Tue, 2008-10-21 at 20:50 +0100, sebb wrote:
> > > On 21/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > On Tue, 2008-10-21 at 13:07 +0100, sebb wrote:
> > > > > On 20/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > > On Mon, 2008-10-20 at 09:42 -0700, Joseph Mocker wrote:
> > > > > > > It sounds like your webserver, or whatever is generating & processing
> > > > > > > the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> > > > > > > quotes are reserved characters, they are not allowed in the cookie value.
> > > > > > >
> > > > > > > They say the cookie value can be either
> > > > > > >
> > > > > > > token | quoted-string
> > > > > > >
> > > > > > > where
> > > > > > >
> > > > > > > token = 1*<any CHAR except CTLs or tspecials>
> > > > > > >
> > > > > > > tspecials = "(" | ")" | "<" | ">" | "@"
> > > > > > > | "," | ";" | ":" | "\" | <">
> > > > > > > | "/" | "[" | "]" | "?" | "="
> > > > > > > | "{" | "}" | SP | HT
> > > > > > >
> > > > > > > and
> > > > > > >
> > > > > > > quoted-string = ( <"> *(qdtext) <"> )
> > > > > > >
> > > > > > > qdtext = <any TEXT except <">>
> > > > > > >
> > > > > > >
> > > > > > > So in your example, the quoted-string form is used, therefore the quotes
> > > > > > > are not part of the cookie value.
> > > > > > >
> > > > > > > Perhaps one of the developers can comment?
> > > > > > >
> > > > > >
> > > > > >
> > > > > > Joe,
> > > > > >
> > > > > > I second that. The culprit is the broken server side script.
> > > > > >
> > > > >
> > > > > I agree that the quotes are not part of the value, however, I don't
> > > > > agree that the server is broken.
> > > > >
> > > > > RFC 2109 says that the cookie value can be a token, or a quoted
> > > > > string. Given that arbitrary white-space is allowed between tokens,
> > > > > quotes are required to preserve spaces and any other special
> > > > > characters.
> > > > >
> > > > > In this case the trailing "=" is not allowed in a plain token, but it
> > > > > is allowed in TEXT.
> > > > >
> > > > > RFC 2068 says:
> > > > >
> > > > > CTL = <any US-ASCII control character
> > > > > (octets 0 - 31) and DEL (127)>
> > > > >
> > > > > TEXT = <any OCTET except CTLs,
> > > > > but including LWS>
> > > > >
> > > > > So for example the value <Apache HttpClient> would need to be provided as:
> > > > >
> > > > > Set-Cookie: Product="Apache HttpClient"
> > > > >
> > > > >
> > > > > and returned to the server as
> > > > >
> > > > > Cookie: Product="Apache HttpClient"
> > > > >
> > > > > Likewise, the value <dfgsdfgsdg=> needs to be quoted, both in the
> > > > > Set-Cookie and Cookie headers.
> > > > >
> > > > > It's not clear from RFC2108 whether user agents are allowed to strip
> > > > > quotes from values if the quotes are not necessary - i.e. where the
> > > > > value is a valid token - but it seems to me that user agents must not
> > > > > strip quotes which are required to ensure that the value is valid.
> > > > >
> > > > > As far as I can tell, the header:
> > > > >
> > > > > Cookie: POSESSIONID=dfgsdfgsdg=
> > > > >
> > > > > is not valid according to RFC2109 , because the trailing "=" is not
> > > > > valid in a token - it has to be quoted as in:
> > > > >
> > > > > Cookie: POSESSIONID="dfgsdfgsdg="
> > > > >
> > > >
> > > >
> > > > Well, it is all nice and dandy, and I almost got convinced, but there is
> > > > one little detail. The Set-Cookie header in question violates both
> > > > RFC2109 and RFC2965 by not including the mandatory Version attribute.
> > >
> > > OK, I'd overlooked that detail.
> > >
> > > > Therefore, all well-behaved HTTP agents MUST treat that cookie as
> > > > Netscape compatible. As far as Netscape cookie draft is concerned the
> > > > following cookie is perfectly valid, as the spec does not impose any
> > > > restrictions on characters used in cookie values:
> > > >
> > > > Cookie: POSESSIONID=dfgsdfgsdg=
> > > >
> > >
> > > I found a copy of the Netscape draft at:
> > >
> > > http://curl.haxx.se/rfc/cookie_spec.html
> > >
> > > Which says:
> > >
> > > >>>
> > > Set-Cookie: NAME=VALUE; expires=DATE;
> > > path=PATH; domain=DOMAIN_NAME; secure
> > >
> > > NAME=VALUE
> > > This string is a sequence of characters excluding semi-colon, comma
> > > and white space. If there is a need to place such data in the name or
> > > value, some encoding method such as URL style %XX encoding is
> > > recommended, though no encoding is defined or required.
> > > <<<
> > >
> > > I read this as meaning that " (double-quote) is valid as a character
> > > in a Netscape cookie value.
> > >
> > > In which case I contend that the server is entitled to send the cookie
> > > value with quotes in it and to expect the quotes in the cookie to be
> > > returned by the user agent.
> >
> >
> > Netscape draft leaves a lot of room for different interpretations. I
> > certainly do not see any reason why the server should reject a cookie
> > without the quotes in the cookie value. To me, the server script is
> > still utterly broken.
> >
>
> My reading of the spec. suggests that the quotes are part of the
> value, in which case it is clearly an error to remove them, and the
> server is correct in not recognising the value.
>
> As far as I can tell, the Netscape draft does not allow for any form
> of quoting, therefore it is an error to assume that enclosing quotes
> can be removed.
>
I am not sure I can agree to that. I do not see anything in the draft
suggesting that quoting may be disallowed. Moreover, the draft clearly
states "some encoding method ... is recommended". To me, that clearly
includes quoting.
Oleg
>
> >
> > Oleg
> >
> >
> > >
> > > > So, the server is _badly_ broken form the standpoint of both RFC2109 and
> > > > RFC2965, and on top of that it even messes up Netscape compatibility.
> > > >
> > >
> > > It may be broken in terms of the RFCs, but to me it seems to be OK as
> > > far as the Netscape spec is concerned.
> > >
> > > > Oleg
> > > >
> > > >
> > > >
> > > > > >
> > > > > > Oleg
> > > > > >
> > > > > >
> > > > > > > --joe
> > > > > > >
> > > > > > >
> > > > > > > Reinhard Pagitsch wrote:
> > > > > > > > Hello to all,
> > > > > > > >
> > > > > > > > From our webserver I get a session cookie in the form
> > > > > > > > POSESSIONID="dfgsdfgsdg="
> > > > > > > > But the HTTPClient sends back the cookie in the form
> > > > > > > > POSESSIONID=dfgsdfgsdg=.
> > > > > > > > Therefore no authentication is done. Is there a way to configure the
> > > > > > > > HttpClient to send back
> > > > > > > > the session cookie as it is and do no modifications?
> > > > > > > >
> > > > > > > > Thank you,
> > > > > > > > Reinhard
> > > > > > > >
> > > > > > > > ---------------------------------------------------------------------
> > > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > >
> > > > > >
> > > > > >
> > > > > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > >
> > > > > >
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > >
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by sebb <se...@gmail.com>.
On 22/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Tue, 2008-10-21 at 20:50 +0100, sebb wrote:
> > On 21/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > On Tue, 2008-10-21 at 13:07 +0100, sebb wrote:
> > > > On 20/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > > On Mon, 2008-10-20 at 09:42 -0700, Joseph Mocker wrote:
> > > > > > It sounds like your webserver, or whatever is generating & processing
> > > > > > the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> > > > > > quotes are reserved characters, they are not allowed in the cookie value.
> > > > > >
> > > > > > They say the cookie value can be either
> > > > > >
> > > > > > token | quoted-string
> > > > > >
> > > > > > where
> > > > > >
> > > > > > token = 1*<any CHAR except CTLs or tspecials>
> > > > > >
> > > > > > tspecials = "(" | ")" | "<" | ">" | "@"
> > > > > > | "," | ";" | ":" | "\" | <">
> > > > > > | "/" | "[" | "]" | "?" | "="
> > > > > > | "{" | "}" | SP | HT
> > > > > >
> > > > > > and
> > > > > >
> > > > > > quoted-string = ( <"> *(qdtext) <"> )
> > > > > >
> > > > > > qdtext = <any TEXT except <">>
> > > > > >
> > > > > >
> > > > > > So in your example, the quoted-string form is used, therefore the quotes
> > > > > > are not part of the cookie value.
> > > > > >
> > > > > > Perhaps one of the developers can comment?
> > > > > >
> > > > >
> > > > >
> > > > > Joe,
> > > > >
> > > > > I second that. The culprit is the broken server side script.
> > > > >
> > > >
> > > > I agree that the quotes are not part of the value, however, I don't
> > > > agree that the server is broken.
> > > >
> > > > RFC 2109 says that the cookie value can be a token, or a quoted
> > > > string. Given that arbitrary white-space is allowed between tokens,
> > > > quotes are required to preserve spaces and any other special
> > > > characters.
> > > >
> > > > In this case the trailing "=" is not allowed in a plain token, but it
> > > > is allowed in TEXT.
> > > >
> > > > RFC 2068 says:
> > > >
> > > > CTL = <any US-ASCII control character
> > > > (octets 0 - 31) and DEL (127)>
> > > >
> > > > TEXT = <any OCTET except CTLs,
> > > > but including LWS>
> > > >
> > > > So for example the value <Apache HttpClient> would need to be provided as:
> > > >
> > > > Set-Cookie: Product="Apache HttpClient"
> > > >
> > > >
> > > > and returned to the server as
> > > >
> > > > Cookie: Product="Apache HttpClient"
> > > >
> > > > Likewise, the value <dfgsdfgsdg=> needs to be quoted, both in the
> > > > Set-Cookie and Cookie headers.
> > > >
> > > > It's not clear from RFC2108 whether user agents are allowed to strip
> > > > quotes from values if the quotes are not necessary - i.e. where the
> > > > value is a valid token - but it seems to me that user agents must not
> > > > strip quotes which are required to ensure that the value is valid.
> > > >
> > > > As far as I can tell, the header:
> > > >
> > > > Cookie: POSESSIONID=dfgsdfgsdg=
> > > >
> > > > is not valid according to RFC2109 , because the trailing "=" is not
> > > > valid in a token - it has to be quoted as in:
> > > >
> > > > Cookie: POSESSIONID="dfgsdfgsdg="
> > > >
> > >
> > >
> > > Well, it is all nice and dandy, and I almost got convinced, but there is
> > > one little detail. The Set-Cookie header in question violates both
> > > RFC2109 and RFC2965 by not including the mandatory Version attribute.
> >
> > OK, I'd overlooked that detail.
> >
> > > Therefore, all well-behaved HTTP agents MUST treat that cookie as
> > > Netscape compatible. As far as Netscape cookie draft is concerned the
> > > following cookie is perfectly valid, as the spec does not impose any
> > > restrictions on characters used in cookie values:
> > >
> > > Cookie: POSESSIONID=dfgsdfgsdg=
> > >
> >
> > I found a copy of the Netscape draft at:
> >
> > http://curl.haxx.se/rfc/cookie_spec.html
> >
> > Which says:
> >
> > >>>
> > Set-Cookie: NAME=VALUE; expires=DATE;
> > path=PATH; domain=DOMAIN_NAME; secure
> >
> > NAME=VALUE
> > This string is a sequence of characters excluding semi-colon, comma
> > and white space. If there is a need to place such data in the name or
> > value, some encoding method such as URL style %XX encoding is
> > recommended, though no encoding is defined or required.
> > <<<
> >
> > I read this as meaning that " (double-quote) is valid as a character
> > in a Netscape cookie value.
> >
> > In which case I contend that the server is entitled to send the cookie
> > value with quotes in it and to expect the quotes in the cookie to be
> > returned by the user agent.
>
>
> Netscape draft leaves a lot of room for different interpretations. I
> certainly do not see any reason why the server should reject a cookie
> without the quotes in the cookie value. To me, the server script is
> still utterly broken.
>
My reading of the spec. suggests that the quotes are part of the
value, in which case it is clearly an error to remove them, and the
server is correct in not recognising the value.
As far as I can tell, the Netscape draft does not allow for any form
of quoting, therefore it is an error to assume that enclosing quotes
can be removed.
>
> Oleg
>
>
> >
> > > So, the server is _badly_ broken form the standpoint of both RFC2109 and
> > > RFC2965, and on top of that it even messes up Netscape compatibility.
> > >
> >
> > It may be broken in terms of the RFCs, but to me it seems to be OK as
> > far as the Netscape spec is concerned.
> >
> > > Oleg
> > >
> > >
> > >
> > > > >
> > > > > Oleg
> > > > >
> > > > >
> > > > > > --joe
> > > > > >
> > > > > >
> > > > > > Reinhard Pagitsch wrote:
> > > > > > > Hello to all,
> > > > > > >
> > > > > > > From our webserver I get a session cookie in the form
> > > > > > > POSESSIONID="dfgsdfgsdg="
> > > > > > > But the HTTPClient sends back the cookie in the form
> > > > > > > POSESSIONID=dfgsdfgsdg=.
> > > > > > > Therefore no authentication is done. Is there a way to configure the
> > > > > > > HttpClient to send back
> > > > > > > the session cookie as it is and do no modifications?
> > > > > > >
> > > > > > > Thank you,
> > > > > > > Reinhard
> > > > > > >
> > > > > > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > > >
> > > > > >
> > > > > >
> > > > > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > >
> > > > >
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > >
> > > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2008-10-21 at 20:50 +0100, sebb wrote:
> On 21/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > On Tue, 2008-10-21 at 13:07 +0100, sebb wrote:
> > > On 20/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > > On Mon, 2008-10-20 at 09:42 -0700, Joseph Mocker wrote:
> > > > > It sounds like your webserver, or whatever is generating & processing
> > > > > the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> > > > > quotes are reserved characters, they are not allowed in the cookie value.
> > > > >
> > > > > They say the cookie value can be either
> > > > >
> > > > > token | quoted-string
> > > > >
> > > > > where
> > > > >
> > > > > token = 1*<any CHAR except CTLs or tspecials>
> > > > >
> > > > > tspecials = "(" | ")" | "<" | ">" | "@"
> > > > > | "," | ";" | ":" | "\" | <">
> > > > > | "/" | "[" | "]" | "?" | "="
> > > > > | "{" | "}" | SP | HT
> > > > >
> > > > > and
> > > > >
> > > > > quoted-string = ( <"> *(qdtext) <"> )
> > > > >
> > > > > qdtext = <any TEXT except <">>
> > > > >
> > > > >
> > > > > So in your example, the quoted-string form is used, therefore the quotes
> > > > > are not part of the cookie value.
> > > > >
> > > > > Perhaps one of the developers can comment?
> > > > >
> > > >
> > > >
> > > > Joe,
> > > >
> > > > I second that. The culprit is the broken server side script.
> > > >
> > >
> > > I agree that the quotes are not part of the value, however, I don't
> > > agree that the server is broken.
> > >
> > > RFC 2109 says that the cookie value can be a token, or a quoted
> > > string. Given that arbitrary white-space is allowed between tokens,
> > > quotes are required to preserve spaces and any other special
> > > characters.
> > >
> > > In this case the trailing "=" is not allowed in a plain token, but it
> > > is allowed in TEXT.
> > >
> > > RFC 2068 says:
> > >
> > > CTL = <any US-ASCII control character
> > > (octets 0 - 31) and DEL (127)>
> > >
> > > TEXT = <any OCTET except CTLs,
> > > but including LWS>
> > >
> > > So for example the value <Apache HttpClient> would need to be provided as:
> > >
> > > Set-Cookie: Product="Apache HttpClient"
> > >
> > >
> > > and returned to the server as
> > >
> > > Cookie: Product="Apache HttpClient"
> > >
> > > Likewise, the value <dfgsdfgsdg=> needs to be quoted, both in the
> > > Set-Cookie and Cookie headers.
> > >
> > > It's not clear from RFC2108 whether user agents are allowed to strip
> > > quotes from values if the quotes are not necessary - i.e. where the
> > > value is a valid token - but it seems to me that user agents must not
> > > strip quotes which are required to ensure that the value is valid.
> > >
> > > As far as I can tell, the header:
> > >
> > > Cookie: POSESSIONID=dfgsdfgsdg=
> > >
> > > is not valid according to RFC2109 , because the trailing "=" is not
> > > valid in a token - it has to be quoted as in:
> > >
> > > Cookie: POSESSIONID="dfgsdfgsdg="
> > >
> >
> >
> > Well, it is all nice and dandy, and I almost got convinced, but there is
> > one little detail. The Set-Cookie header in question violates both
> > RFC2109 and RFC2965 by not including the mandatory Version attribute.
>
> OK, I'd overlooked that detail.
>
> > Therefore, all well-behaved HTTP agents MUST treat that cookie as
> > Netscape compatible. As far as Netscape cookie draft is concerned the
> > following cookie is perfectly valid, as the spec does not impose any
> > restrictions on characters used in cookie values:
> >
> > Cookie: POSESSIONID=dfgsdfgsdg=
> >
>
> I found a copy of the Netscape draft at:
>
> http://curl.haxx.se/rfc/cookie_spec.html
>
> Which says:
>
> >>>
> Set-Cookie: NAME=VALUE; expires=DATE;
> path=PATH; domain=DOMAIN_NAME; secure
>
> NAME=VALUE
> This string is a sequence of characters excluding semi-colon, comma
> and white space. If there is a need to place such data in the name or
> value, some encoding method such as URL style %XX encoding is
> recommended, though no encoding is defined or required.
> <<<
>
> I read this as meaning that " (double-quote) is valid as a character
> in a Netscape cookie value.
>
> In which case I contend that the server is entitled to send the cookie
> value with quotes in it and to expect the quotes in the cookie to be
> returned by the user agent.
Netscape draft leaves a lot of room for different interpretations. I
certainly do not see any reason why the server should reject a cookie
without the quotes in the cookie value. To me, the server script is
still utterly broken.
Oleg
>
> > So, the server is _badly_ broken form the standpoint of both RFC2109 and
> > RFC2965, and on top of that it even messes up Netscape compatibility.
> >
>
> It may be broken in terms of the RFCs, but to me it seems to be OK as
> far as the Netscape spec is concerned.
>
> > Oleg
> >
> >
> >
> > > >
> > > > Oleg
> > > >
> > > >
> > > > > --joe
> > > > >
> > > > >
> > > > > Reinhard Pagitsch wrote:
> > > > > > Hello to all,
> > > > > >
> > > > > > From our webserver I get a session cookie in the form
> > > > > > POSESSIONID="dfgsdfgsdg="
> > > > > > But the HTTPClient sends back the cookie in the form
> > > > > > POSESSIONID=dfgsdfgsdg=.
> > > > > > Therefore no authentication is done. Is there a way to configure the
> > > > > > HttpClient to send back
> > > > > > the session cookie as it is and do no modifications?
> > > > > >
> > > > > > Thank you,
> > > > > > Reinhard
> > > > > >
> > > > > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > > >
> > > > >
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > >
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by sebb <se...@gmail.com>.
On 21/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Tue, 2008-10-21 at 13:07 +0100, sebb wrote:
> > On 20/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > > On Mon, 2008-10-20 at 09:42 -0700, Joseph Mocker wrote:
> > > > It sounds like your webserver, or whatever is generating & processing
> > > > the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> > > > quotes are reserved characters, they are not allowed in the cookie value.
> > > >
> > > > They say the cookie value can be either
> > > >
> > > > token | quoted-string
> > > >
> > > > where
> > > >
> > > > token = 1*<any CHAR except CTLs or tspecials>
> > > >
> > > > tspecials = "(" | ")" | "<" | ">" | "@"
> > > > | "," | ";" | ":" | "\" | <">
> > > > | "/" | "[" | "]" | "?" | "="
> > > > | "{" | "}" | SP | HT
> > > >
> > > > and
> > > >
> > > > quoted-string = ( <"> *(qdtext) <"> )
> > > >
> > > > qdtext = <any TEXT except <">>
> > > >
> > > >
> > > > So in your example, the quoted-string form is used, therefore the quotes
> > > > are not part of the cookie value.
> > > >
> > > > Perhaps one of the developers can comment?
> > > >
> > >
> > >
> > > Joe,
> > >
> > > I second that. The culprit is the broken server side script.
> > >
> >
> > I agree that the quotes are not part of the value, however, I don't
> > agree that the server is broken.
> >
> > RFC 2109 says that the cookie value can be a token, or a quoted
> > string. Given that arbitrary white-space is allowed between tokens,
> > quotes are required to preserve spaces and any other special
> > characters.
> >
> > In this case the trailing "=" is not allowed in a plain token, but it
> > is allowed in TEXT.
> >
> > RFC 2068 says:
> >
> > CTL = <any US-ASCII control character
> > (octets 0 - 31) and DEL (127)>
> >
> > TEXT = <any OCTET except CTLs,
> > but including LWS>
> >
> > So for example the value <Apache HttpClient> would need to be provided as:
> >
> > Set-Cookie: Product="Apache HttpClient"
> >
> >
> > and returned to the server as
> >
> > Cookie: Product="Apache HttpClient"
> >
> > Likewise, the value <dfgsdfgsdg=> needs to be quoted, both in the
> > Set-Cookie and Cookie headers.
> >
> > It's not clear from RFC2108 whether user agents are allowed to strip
> > quotes from values if the quotes are not necessary - i.e. where the
> > value is a valid token - but it seems to me that user agents must not
> > strip quotes which are required to ensure that the value is valid.
> >
> > As far as I can tell, the header:
> >
> > Cookie: POSESSIONID=dfgsdfgsdg=
> >
> > is not valid according to RFC2109 , because the trailing "=" is not
> > valid in a token - it has to be quoted as in:
> >
> > Cookie: POSESSIONID="dfgsdfgsdg="
> >
>
>
> Well, it is all nice and dandy, and I almost got convinced, but there is
> one little detail. The Set-Cookie header in question violates both
> RFC2109 and RFC2965 by not including the mandatory Version attribute.
OK, I'd overlooked that detail.
> Therefore, all well-behaved HTTP agents MUST treat that cookie as
> Netscape compatible. As far as Netscape cookie draft is concerned the
> following cookie is perfectly valid, as the spec does not impose any
> restrictions on characters used in cookie values:
>
> Cookie: POSESSIONID=dfgsdfgsdg=
>
I found a copy of the Netscape draft at:
http://curl.haxx.se/rfc/cookie_spec.html
Which says:
>>>
Set-Cookie: NAME=VALUE; expires=DATE;
path=PATH; domain=DOMAIN_NAME; secure
NAME=VALUE
This string is a sequence of characters excluding semi-colon, comma
and white space. If there is a need to place such data in the name or
value, some encoding method such as URL style %XX encoding is
recommended, though no encoding is defined or required.
<<<
I read this as meaning that " (double-quote) is valid as a character
in a Netscape cookie value.
In which case I contend that the server is entitled to send the cookie
value with quotes in it and to expect the quotes in the cookie to be
returned by the user agent.
> So, the server is _badly_ broken form the standpoint of both RFC2109 and
> RFC2965, and on top of that it even messes up Netscape compatibility.
>
It may be broken in terms of the RFCs, but to me it seems to be OK as
far as the Netscape spec is concerned.
> Oleg
>
>
>
> > >
> > > Oleg
> > >
> > >
> > > > --joe
> > > >
> > > >
> > > > Reinhard Pagitsch wrote:
> > > > > Hello to all,
> > > > >
> > > > > From our webserver I get a session cookie in the form
> > > > > POSESSIONID="dfgsdfgsdg="
> > > > > But the HTTPClient sends back the cookie in the form
> > > > > POSESSIONID=dfgsdfgsdg=.
> > > > > Therefore no authentication is done. Is there a way to configure the
> > > > > HttpClient to send back
> > > > > the session cookie as it is and do no modifications?
> > > > >
> > > > > Thank you,
> > > > > Reinhard
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > > >
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2008-10-21 at 13:07 +0100, sebb wrote:
> On 20/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> > On Mon, 2008-10-20 at 09:42 -0700, Joseph Mocker wrote:
> > > It sounds like your webserver, or whatever is generating & processing
> > > the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> > > quotes are reserved characters, they are not allowed in the cookie value.
> > >
> > > They say the cookie value can be either
> > >
> > > token | quoted-string
> > >
> > > where
> > >
> > > token = 1*<any CHAR except CTLs or tspecials>
> > >
> > > tspecials = "(" | ")" | "<" | ">" | "@"
> > > | "," | ";" | ":" | "\" | <">
> > > | "/" | "[" | "]" | "?" | "="
> > > | "{" | "}" | SP | HT
> > >
> > > and
> > >
> > > quoted-string = ( <"> *(qdtext) <"> )
> > >
> > > qdtext = <any TEXT except <">>
> > >
> > >
> > > So in your example, the quoted-string form is used, therefore the quotes
> > > are not part of the cookie value.
> > >
> > > Perhaps one of the developers can comment?
> > >
> >
> >
> > Joe,
> >
> > I second that. The culprit is the broken server side script.
> >
>
> I agree that the quotes are not part of the value, however, I don't
> agree that the server is broken.
>
> RFC 2109 says that the cookie value can be a token, or a quoted
> string. Given that arbitrary white-space is allowed between tokens,
> quotes are required to preserve spaces and any other special
> characters.
>
> In this case the trailing "=" is not allowed in a plain token, but it
> is allowed in TEXT.
>
> RFC 2068 says:
>
> CTL = <any US-ASCII control character
> (octets 0 - 31) and DEL (127)>
>
> TEXT = <any OCTET except CTLs,
> but including LWS>
>
> So for example the value <Apache HttpClient> would need to be provided as:
>
> Set-Cookie: Product="Apache HttpClient"
>
>
> and returned to the server as
>
> Cookie: Product="Apache HttpClient"
>
> Likewise, the value <dfgsdfgsdg=> needs to be quoted, both in the
> Set-Cookie and Cookie headers.
>
> It's not clear from RFC2108 whether user agents are allowed to strip
> quotes from values if the quotes are not necessary - i.e. where the
> value is a valid token - but it seems to me that user agents must not
> strip quotes which are required to ensure that the value is valid.
>
> As far as I can tell, the header:
>
> Cookie: POSESSIONID=dfgsdfgsdg=
>
> is not valid according to RFC2109 , because the trailing "=" is not
> valid in a token - it has to be quoted as in:
>
> Cookie: POSESSIONID="dfgsdfgsdg="
>
Well, it is all nice and dandy, and I almost got convinced, but there is
one little detail. The Set-Cookie header in question violates both
RFC2109 and RFC2965 by not including the mandatory Version attribute.
Therefore, all well-behaved HTTP agents MUST treat that cookie as
Netscape compatible. As far as Netscape cookie draft is concerned the
following cookie is perfectly valid, as the spec does not impose any
restrictions on characters used in cookie values:
Cookie: POSESSIONID=dfgsdfgsdg=
So, the server is _badly_ broken form the standpoint of both RFC2109 and
RFC2965, and on top of that it even messes up Netscape compatibility.
Oleg
> >
> > Oleg
> >
> >
> > > --joe
> > >
> > >
> > > Reinhard Pagitsch wrote:
> > > > Hello to all,
> > > >
> > > > From our webserver I get a session cookie in the form
> > > > POSESSIONID="dfgsdfgsdg="
> > > > But the HTTPClient sends back the cookie in the form
> > > > POSESSIONID=dfgsdfgsdg=.
> > > > Therefore no authentication is done. Is there a way to configure the
> > > > HttpClient to send back
> > > > the session cookie as it is and do no modifications?
> > > >
> > > > Thank you,
> > > > Reinhard
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by sebb <se...@gmail.com>.
On 20/10/2008, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Mon, 2008-10-20 at 09:42 -0700, Joseph Mocker wrote:
> > It sounds like your webserver, or whatever is generating & processing
> > the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> > quotes are reserved characters, they are not allowed in the cookie value.
> >
> > They say the cookie value can be either
> >
> > token | quoted-string
> >
> > where
> >
> > token = 1*<any CHAR except CTLs or tspecials>
> >
> > tspecials = "(" | ")" | "<" | ">" | "@"
> > | "," | ";" | ":" | "\" | <">
> > | "/" | "[" | "]" | "?" | "="
> > | "{" | "}" | SP | HT
> >
> > and
> >
> > quoted-string = ( <"> *(qdtext) <"> )
> >
> > qdtext = <any TEXT except <">>
> >
> >
> > So in your example, the quoted-string form is used, therefore the quotes
> > are not part of the cookie value.
> >
> > Perhaps one of the developers can comment?
> >
>
>
> Joe,
>
> I second that. The culprit is the broken server side script.
>
I agree that the quotes are not part of the value, however, I don't
agree that the server is broken.
RFC 2109 says that the cookie value can be a token, or a quoted
string. Given that arbitrary white-space is allowed between tokens,
quotes are required to preserve spaces and any other special
characters.
In this case the trailing "=" is not allowed in a plain token, but it
is allowed in TEXT.
RFC 2068 says:
CTL = <any US-ASCII control character
(octets 0 - 31) and DEL (127)>
TEXT = <any OCTET except CTLs,
but including LWS>
So for example the value <Apache HttpClient> would need to be provided as:
Set-Cookie: Product="Apache HttpClient"
and returned to the server as
Cookie: Product="Apache HttpClient"
Likewise, the value <dfgsdfgsdg=> needs to be quoted, both in the
Set-Cookie and Cookie headers.
It's not clear from RFC2108 whether user agents are allowed to strip
quotes from values if the quotes are not necessary - i.e. where the
value is a valid token - but it seems to me that user agents must not
strip quotes which are required to ensure that the value is valid.
As far as I can tell, the header:
Cookie: POSESSIONID=dfgsdfgsdg=
is not valid according to RFC2109 , because the trailing "=" is not
valid in a token - it has to be quoted as in:
Cookie: POSESSIONID="dfgsdfgsdg="
>
> Oleg
>
>
> > --joe
> >
> >
> > Reinhard Pagitsch wrote:
> > > Hello to all,
> > >
> > > From our webserver I get a session cookie in the form
> > > POSESSIONID="dfgsdfgsdg="
> > > But the HTTPClient sends back the cookie in the form
> > > POSESSIONID=dfgsdfgsdg=.
> > > Therefore no authentication is done. Is there a way to configure the
> > > HttpClient to send back
> > > the session cookie as it is and do no modifications?
> > >
> > > Thank you,
> > > Reinhard
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2008-10-20 at 09:42 -0700, Joseph Mocker wrote:
> It sounds like your webserver, or whatever is generating & processing
> the session cookie, is in error. From my reads of RFC2109 & RFC2068,
> quotes are reserved characters, they are not allowed in the cookie value.
>
> They say the cookie value can be either
>
> token | quoted-string
>
> where
>
> token = 1*<any CHAR except CTLs or tspecials>
>
> tspecials = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
>
> and
>
> quoted-string = ( <"> *(qdtext) <"> )
>
> qdtext = <any TEXT except <">>
>
>
> So in your example, the quoted-string form is used, therefore the quotes
> are not part of the cookie value.
>
> Perhaps one of the developers can comment?
>
Joe,
I second that. The culprit is the broken server side script.
Oleg
> --joe
>
>
> Reinhard Pagitsch wrote:
> > Hello to all,
> >
> > From our webserver I get a session cookie in the form
> > POSESSIONID="dfgsdfgsdg="
> > But the HTTPClient sends back the cookie in the form
> > POSESSIONID=dfgsdfgsdg=.
> > Therefore no authentication is done. Is there a way to configure the
> > HttpClient to send back
> > the session cookie as it is and do no modifications?
> >
> > Thank you,
> > Reinhard
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: HttpClient and cookies
Posted by Joseph Mocker <mo...@fakebelieve.org>.
It sounds like your webserver, or whatever is generating & processing
the session cookie, is in error. From my reads of RFC2109 & RFC2068,
quotes are reserved characters, they are not allowed in the cookie value.
They say the cookie value can be either
token | quoted-string
where
token = 1*<any CHAR except CTLs or tspecials>
tspecials = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HT
and
quoted-string = ( <"> *(qdtext) <"> )
qdtext = <any TEXT except <">>
So in your example, the quoted-string form is used, therefore the quotes
are not part of the cookie value.
Perhaps one of the developers can comment?
--joe
Reinhard Pagitsch wrote:
> Hello to all,
>
> From our webserver I get a session cookie in the form
> POSESSIONID="dfgsdfgsdg="
> But the HTTPClient sends back the cookie in the form
> POSESSIONID=dfgsdfgsdg=.
> Therefore no authentication is done. Is there a way to configure the
> HttpClient to send back
> the session cookie as it is and do no modifications?
>
> Thank you,
> Reinhard
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org