You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@commons.apache.org by RODRIGUEZ Christophe <ch...@hotmail.com> on 2005/11/13 07:36:14 UTC

[HttpClient] 2.0.2 - Bug in cookies handling in COMPATIBILITY mode ?

Hello all,

On a web site which i used httpclient on, this one was on able to 
authenticate because the authentication was cookie based, even in 
COMPATIBILITY mode ( given throw jvm parameters ) so i decided to check the 
code.

domain of the cookie was : domain.com ( the first "dot" is missing, so it 
does not complies to RFC2109...)
hot was : www.domain.com

The cookie is well parsed and validated, this is not the problem.
But it will be never send back in the response, because of the following 
domainMatch function which check if the cookie is RFC2109 compliant, even if 
i specified a COMPATIBILITY mode.

( in 
/home/cvs/jakarta-commons/httpclient/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java,v 
1.16.2.3 )
    /**
     * Performs a domain-match as described in RFC2109.
     * @param host The host to check.
     * @param domain The domain.
     * @return true if the specified host matches the given domain.
     */
private static boolean domainMatch(String host, String domain) {
        boolean match = host.equals(domain)
            || ( domain.startsWith(".") && host.endsWith(domain));

        return match;
}

I don't really know if it is a bug... please let me know if I'm wrong.

Christophe. 

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org

Re: [HttpClient] 2.0.2 - Bug in cookies handling in COMPATIBILITY mode ?

Posted by Oleg Kalnichevski <ol...@apache.org>.

On Sun, 2005-11-13 at 07:36 +0100, RODRIGUEZ Christophe wrote:
> Hello all,
> 
> On a web site which i used httpclient on, this one was on able to 
> authenticate because the authentication was cookie based, even in 
> COMPATIBILITY mode ( given throw jvm parameters ) so i decided to check the 
> code.
> 
> domain of the cookie was : domain.com ( the first "dot" is missing, so it 
> does not complies to RFC2109...)
> hot was : www.domain.com
> 
> The cookie is well parsed and validated, this is not the problem.
> But it will be never send back in the response, because of the following 
> domainMatch function which check if the cookie is RFC2109 compliant, even if 
> i specified a COMPATIBILITY mode.
> 
> ( in 
> /home/cvs/jakarta-commons/httpclient/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java,v 
> 1.16.2.3 )
>     /**
>      * Performs a domain-match as described in RFC2109.
>      * @param host The host to check.
>      * @param domain The domain.
>      * @return true if the specified host matches the given domain.
>      */
> private static boolean domainMatch(String host, String domain) {
>         boolean match = host.equals(domain)
>             || ( domain.startsWith(".") && host.endsWith(domain));
> 
>         return match;
> }
> 
> I don't really know if it is a bug... please let me know if I'm wrong.
> 

Christophe,

I believe this bug has been fixed in HttpClient 3.0. Could you please
test your code against HttpClient 3.0rc4 and file a bug report in
Bugzilla if the problem still persists?

Oleg

> Christophe. 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org