You are viewing a plain text version of this content. The canonical link for it is here.

Posted to httpclient-users@hc.apache.org by Karl Funk <ka...@volantis.com> on 2006/10/16 19:04:00 UTC

Cookie rejection woes..

Perhaps its me, but HttpMethodBase is rejecting cookies that I think are correct. 

I create a new client and make a clean request (with no cookies) to http://somewhere/app/hdat/ . 

The response contains the following Set-Cookie headers 

Set-Cookie: TZS=abc;path=/app;
Set-Cookie: TZS=abc;path=/service;
Set-Cookie: TZS=abc;path=/linkto;
Set-Cookie: TZS=abc;path=/code;

I have also confirmed these headers by network trace. 

But I always get 

WARN  org.apache.commons.httpclient.HttpMethodBase - Cookie rejected: "$Version=0; TZS=abc; $Path=/service". Illegal path attribute "/service". Path of origin: "/app/hdat/"
WARN  org.apache.commons.httpclient.HttpMethodBase - Cookie rejected: "$Version=0; TZS=abc; $Path=/linkto". Illegal path attribute "/linkto". Path of origin: "/app/hdat/"
WARN  org.apache.commons.httpclient.HttpMethodBase - Cookie rejected: "$Version=0; TZS=abc; $Path=/code". Illegal path attribute "/code". Path of origin: "/app/hdat/"

Which confuses me, the cookies are simply being shared between seperate applications, there is no attempt to set for another domain. 

I have tried 

HttpClient client.getParams().setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY);
HttpClient client.getParams().setCookiePolicy(CookiePolicy.DEFAULT);
HttpClient client.getParams().setCookiePolicy(CookiePolicy.NETSCAPE);
HttpClient client.getParams().setCookiePolicy(CookiePolicy.RFC_2109);

all of which result in he same rejection

and just to be sure I am setting it right I have tried 
HttpClient client.getParams().setCookiePolicy(CookiePolicy.IGNORE_COOKIES);
which does indeed ignore the cookies (but this is not what I want!).

But most browsers (in fact all I have tried) work with these cookies. 

So can I convince HttpMethodBase to work on these. - I know that I can parse them out myself and add them back in, but this seems wrong.

Cheers,
Karl.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

Re: Cookie rejection woes..

Posted by Roland Weber <ht...@dubioso.net>.

Hello Karl,

> The response contains the following Set-Cookie headers 
> 
> Set-Cookie: TZS=abc;path=/app;
> Set-Cookie: TZS=abc;path=/service;
> Set-Cookie: TZS=abc;path=/linkto;
> Set-Cookie: TZS=abc;path=/code;
> 
> I have also confirmed these headers by network trace. 
> 
> But I always get 
> 
> WARN  org.apache.commons.httpclient.HttpMethodBase - Cookie rejected: "$Version=0; TZS=abc; $Path=/service". Illegal path attribute "/service". Path of origin: "/app/hdat/"
> WARN  org.apache.commons.httpclient.HttpMethodBase - Cookie rejected: "$Version=0; TZS=abc; $Path=/linkto". Illegal path attribute "/linkto". Path of origin: "/app/hdat/"
> WARN  org.apache.commons.httpclient.HttpMethodBase - Cookie rejected: "$Version=0; TZS=abc; $Path=/code". Illegal path attribute "/code". Path of origin: "/app/hdat/"
> 
> Which confuses me, the cookies are simply being shared between seperate applications, there is no attempt to set for another domain. 

Read the warning again:
  Illegal path attribute "/service". Path of origin: "/app/hdat/"

This has nothing to do with domains, it's about paths. A resource
at /app/hdat/ can set cookies only for path prefixes of /app/hdat/.
If you want to or need to share cookies between resources at /app,
/service, /linkto and /code, then you have to use the common path
prefix, which is /. No resource is allowed to set a cookie it will
not be able to receive, and a cookie set for /service will never
be sent to /app/hdat/.

> But most browsers (in fact all I have tried) work with these cookies. 

That's because many browsers don't care much about specifications.
We do. HttpClient is not a browser:
http://wiki.apache.org/jakarta-httpclient/ForAbsoluteBeginners#head-a110969063be34fcd964aeba55ae23bea12ac232

RFC 2109 is very specific about rejecting cookies in Set-Cookie:

   4.3.2  Rejecting Cookies

   To prevent possible security or privacy violations, a user agent
   rejects a cookie (shall not store its information) if any of the
   following is true:

   * The value for the Path attribute is not a prefix of the request-
     URI.
   ...

RFC 2965 is just as explicit, except that the section is 3.3.2.
Browsers are not supposed to accept those cookies either. Frankly,
in this case I assume that you have missed something when testing
the browsers. Are you sure they don't get a cookie with path /
from somewhere?

> So can I convince HttpMethodBase to work on these.

You can implement a new CookiePolicy. But accepting such illegal
cookies will not be very useful, since they will never be sent back
to the resource that set them. Something is seriously wrong with
the design of the web application.

cheers,
  Roland


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org