You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Marc Slemko <ma...@znep.com> on 1998/06/28 17:43:13 UTC
Apache Y2K bug in mod_usertrack.c
>Path: scanner.worldgate.com!news.he.net!news.scruz.net!echo.echo.com!banshee
>From: banshee@echo.echo.com (John Vinopal)
>Newsgroups: comp.infosystems.www.servers.unix
>Subject: Apache Y2K bug in mod_usertrack.c
>Date: 26 Jun 1998 21:27:57 GMT
>Organization: Echo Street
>Lines: 17
>Message-ID: <6n...@news.scruz.net>
>NNTP-Posting-Host: echo.com
>Xref: scanner.worldgate.com comp.infosystems.www.servers.unix:44717
This is present as of 1.3b5 and as far back as 1.2b4. The issue
is issuance of incorrectly expired cookies that MSIE chokes upon.
Cookies are spit out formatted like: Day, DD-MON-YY HH:MM:SS GMT
whereas they SHOULD be spit out like Day, DD-MON-YYYY HH:MM:SS GMT
The code in question varies depending on the src tree, but is essentially:
tms->tm_year % 100
and should be
tms->tm_year + 1900
and a change from .2d to .4d in the printf line above.
Replies to banshee@NOSPAMresort.com, remove the NOSPAM part. All
mail to this address is dumped.
Re: Apache Y2K bug in mod_usertrack.c
Posted by Rasmus Lerdorf <ra...@lerdorf.on.ca>.
> > I have found that using 4-digit years in cookies causes problems on some
> > browsers whereas 2-digit years always seem to work. I think the basic
> > problem is that someone at Netscape screwed up. The original cookie spec
> > at http://www.netscape.com/newsref/std/cookie_spec.html defines the
>
> I bet they changed it after the fact.
I don't know about that. I remember investigating this problem back in
late 1995 and they had the same inconsistency in that file. I sent a
bunch of emails to Netscape and posted about it on their news server, but
nobody ever responded.
By the way, that URL sets a cookie and it only uses a 2-digit year. Here
are the headers:
HTTP/1.0 200 OK
Server: Netscape-Enterprise/2.01
Date: Tue, 30 Jun 1998 08:26:46 GMT
Set-cookie: NGUserID=cfc84949-5690-899195206-1; expires=Wednesday, 09-Nov-99 23:12:40 GMT; path=/
Content-type: text/html
-Rasmus
Re: Apache Y2K bug in mod_usertrack.c
Posted by Marc Slemko <ma...@znep.com>.
On Tue, 30 Jun 1998, Rasmus Lerdorf wrote:
> I have found that using 4-digit years in cookies causes problems on some
> browsers whereas 2-digit years always seem to work. I think the basic
> problem is that someone at Netscape screwed up. The original cookie spec
> at http://www.netscape.com/newsref/std/cookie_spec.html defines the
I bet they changed it after the fact.
Re: Apache Y2K bug in mod_usertrack.c
Posted by Rasmus Lerdorf <ra...@lerdorf.on.ca>.
I have found that using 4-digit years in cookies causes problems on some
browsers whereas 2-digit years always seem to work. I think the basic
problem is that someone at Netscape screwed up. The original cookie spec
at http://www.netscape.com/newsref/std/cookie_spec.html defines the
expires string as: expire=Wdy, DD-Mon-YYYY HH:MM:SS GMT
But then at the bottom of that URL in their very first example they have:
Set-Cookie: CUSTOMER=WILE_E_COYOTE; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT
So, the first example in the spec doesn't adhere to the spec and I bet it
has caused the confusion in the browser code.
> Isn't the session-management RFC in draft now? Shouldn't we make sure any
> changes don't negatively impact interoperability with other browsers? I
> think there's a PR on this somewhere...
>
> Brian
>
> At 09:43 AM 6/28/98 -0600, Marc Slemko wrote:
> >
> >>Path: scanner.worldgate.com!news.he.net!news.scruz.net!echo.echo.com!banshee
> >>From: banshee@echo.echo.com (John Vinopal)
> >>Newsgroups: comp.infosystems.www.servers.unix
> >>Subject: Apache Y2K bug in mod_usertrack.c
> >>Date: 26 Jun 1998 21:27:57 GMT
> >>Organization: Echo Street
> >>Lines: 17
> >>Message-ID: <6n...@news.scruz.net>
> >>NNTP-Posting-Host: echo.com
> >>Xref: scanner.worldgate.com comp.infosystems.www.servers.unix:44717
> >
> >
> >This is present as of 1.3b5 and as far back as 1.2b4. The issue
> >is issuance of incorrectly expired cookies that MSIE chokes upon.
> >Cookies are spit out formatted like: Day, DD-MON-YY HH:MM:SS GMT
> >whereas they SHOULD be spit out like Day, DD-MON-YYYY HH:MM:SS GMT
> >
> >The code in question varies depending on the src tree, but is essentially:
> >
> >tms->tm_year % 100
> >and should be
> >tms->tm_year + 1900
> >
> >and a change from .2d to .4d in the printf line above.
> >
> >Replies to banshee@NOSPAMresort.com, remove the NOSPAM part. All
> >mail to this address is dumped.
> >
> >
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> pure chewing satisfaction brian@apache.org
> brian@hyperreal.org
>
Re: Apache Y2K bug in mod_usertrack.c
Posted by Marc Slemko <ma...@znep.com>.
Hmm.
>From http://home.netscape.com/newsref/std/cookie_spec.html it appears like
you are supposed to use a format of:
Wdy, DD-Mon-YYYY HH:MM:SS GMT
...but their example uses a two digit date. Can anyone say "hack after
the fact to make up for not making a real spec that a two year old could
do right?"
FWIW, current Navigator accepts 4 digit dates and they seem to work right.
Don't know about older ones.
On Tue, 30 Jun 1998, Marc Slemko wrote:
> I haven't a clue.
>
> I think Dean says the cookie spec is broken WRT y2k and you can't use four
> digit dates; I haven't a clue about cookies and don't want to, but I
> wouldn't doubt if it is speced to two-digits. Navigator, for some reason,
> likes two digit dates for other things, but for them it accepts (as it
> has to) other formats with 4 digit dates. May not for cookies.
>
> On Tue, 30 Jun 1998, Brian Behlendorf wrote:
>
> >
> > Isn't the session-management RFC in draft now? Shouldn't we make sure any
> > changes don't negatively impact interoperability with other browsers? I
> > think there's a PR on this somewhere...
> >
> > Brian
> >
> > At 09:43 AM 6/28/98 -0600, Marc Slemko wrote:
> > >
> > >>Path: scanner.worldgate.com!news.he.net!news.scruz.net!echo.echo.com!banshee
> > >>From: banshee@echo.echo.com (John Vinopal)
> > >>Newsgroups: comp.infosystems.www.servers.unix
> > >>Subject: Apache Y2K bug in mod_usertrack.c
> > >>Date: 26 Jun 1998 21:27:57 GMT
> > >>Organization: Echo Street
> > >>Lines: 17
> > >>Message-ID: <6n...@news.scruz.net>
> > >>NNTP-Posting-Host: echo.com
> > >>Xref: scanner.worldgate.com comp.infosystems.www.servers.unix:44717
> > >
> > >
> > >This is present as of 1.3b5 and as far back as 1.2b4. The issue
> > >is issuance of incorrectly expired cookies that MSIE chokes upon.
> > >Cookies are spit out formatted like: Day, DD-MON-YY HH:MM:SS GMT
> > >whereas they SHOULD be spit out like Day, DD-MON-YYYY HH:MM:SS GMT
> > >
> > >The code in question varies depending on the src tree, but is essentially:
> > >
> > >tms->tm_year % 100
> > >and should be
> > >tms->tm_year + 1900
> > >
> > >and a change from .2d to .4d in the printf line above.
> > >
> > >Replies to banshee@NOSPAMresort.com, remove the NOSPAM part. All
> > >mail to this address is dumped.
> > >
> > >
> > --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> > pure chewing satisfaction brian@apache.org
> > brian@hyperreal.org
> >
>
>
Re: Apache Y2K bug in mod_usertrack.c
Posted by Marc Slemko <ma...@znep.com>.
I haven't a clue.
I think Dean says the cookie spec is broken WRT y2k and you can't use four
digit dates; I haven't a clue about cookies and don't want to, but I
wouldn't doubt if it is speced to two-digits. Navigator, for some reason,
likes two digit dates for other things, but for them it accepts (as it
has to) other formats with 4 digit dates. May not for cookies.
On Tue, 30 Jun 1998, Brian Behlendorf wrote:
>
> Isn't the session-management RFC in draft now? Shouldn't we make sure any
> changes don't negatively impact interoperability with other browsers? I
> think there's a PR on this somewhere...
>
> Brian
>
> At 09:43 AM 6/28/98 -0600, Marc Slemko wrote:
> >
> >>Path: scanner.worldgate.com!news.he.net!news.scruz.net!echo.echo.com!banshee
> >>From: banshee@echo.echo.com (John Vinopal)
> >>Newsgroups: comp.infosystems.www.servers.unix
> >>Subject: Apache Y2K bug in mod_usertrack.c
> >>Date: 26 Jun 1998 21:27:57 GMT
> >>Organization: Echo Street
> >>Lines: 17
> >>Message-ID: <6n...@news.scruz.net>
> >>NNTP-Posting-Host: echo.com
> >>Xref: scanner.worldgate.com comp.infosystems.www.servers.unix:44717
> >
> >
> >This is present as of 1.3b5 and as far back as 1.2b4. The issue
> >is issuance of incorrectly expired cookies that MSIE chokes upon.
> >Cookies are spit out formatted like: Day, DD-MON-YY HH:MM:SS GMT
> >whereas they SHOULD be spit out like Day, DD-MON-YYYY HH:MM:SS GMT
> >
> >The code in question varies depending on the src tree, but is essentially:
> >
> >tms->tm_year % 100
> >and should be
> >tms->tm_year + 1900
> >
> >and a change from .2d to .4d in the printf line above.
> >
> >Replies to banshee@NOSPAMresort.com, remove the NOSPAM part. All
> >mail to this address is dumped.
> >
> >
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> pure chewing satisfaction brian@apache.org
> brian@hyperreal.org
>
Re: Apache Y2K bug in mod_usertrack.c
Posted by Dean Gaudet <dg...@arctic.org>.
The original message below is wrong.
Set-Cookie is a netscape extension to the protocol. Netscape's document
describing it allows for only two digits for the year. Maybe new versions
of navigator accept four digit dates... old versions definately didn't.
Dean
On Tue, 30 Jun 1998, Brian Behlendorf wrote:
>
> Isn't the session-management RFC in draft now? Shouldn't we make sure any
> changes don't negatively impact interoperability with other browsers? I
> think there's a PR on this somewhere...
>
> Brian
>
> At 09:43 AM 6/28/98 -0600, Marc Slemko wrote:
> >
> >>Path: scanner.worldgate.com!news.he.net!news.scruz.net!echo.echo.com!banshee
> >>From: banshee@echo.echo.com (John Vinopal)
> >>Newsgroups: comp.infosystems.www.servers.unix
> >>Subject: Apache Y2K bug in mod_usertrack.c
> >>Date: 26 Jun 1998 21:27:57 GMT
> >>Organization: Echo Street
> >>Lines: 17
> >>Message-ID: <6n...@news.scruz.net>
> >>NNTP-Posting-Host: echo.com
> >>Xref: scanner.worldgate.com comp.infosystems.www.servers.unix:44717
> >
> >
> >This is present as of 1.3b5 and as far back as 1.2b4. The issue
> >is issuance of incorrectly expired cookies that MSIE chokes upon.
> >Cookies are spit out formatted like: Day, DD-MON-YY HH:MM:SS GMT
> >whereas they SHOULD be spit out like Day, DD-MON-YYYY HH:MM:SS GMT
> >
> >The code in question varies depending on the src tree, but is essentially:
> >
> >tms->tm_year % 100
> >and should be
> >tms->tm_year + 1900
> >
> >and a change from .2d to .4d in the printf line above.
> >
> >Replies to banshee@NOSPAMresort.com, remove the NOSPAM part. All
> >mail to this address is dumped.
> >
> >
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> pure chewing satisfaction brian@apache.org
> brian@hyperreal.org
>
Re: Apache Y2K bug in mod_usertrack.c
Posted by Brian Behlendorf <br...@hyperreal.org>.
Isn't the session-management RFC in draft now? Shouldn't we make sure any
changes don't negatively impact interoperability with other browsers? I
think there's a PR on this somewhere...
Brian
At 09:43 AM 6/28/98 -0600, Marc Slemko wrote:
>
>>Path: scanner.worldgate.com!news.he.net!news.scruz.net!echo.echo.com!banshee
>>From: banshee@echo.echo.com (John Vinopal)
>>Newsgroups: comp.infosystems.www.servers.unix
>>Subject: Apache Y2K bug in mod_usertrack.c
>>Date: 26 Jun 1998 21:27:57 GMT
>>Organization: Echo Street
>>Lines: 17
>>Message-ID: <6n...@news.scruz.net>
>>NNTP-Posting-Host: echo.com
>>Xref: scanner.worldgate.com comp.infosystems.www.servers.unix:44717
>
>
>This is present as of 1.3b5 and as far back as 1.2b4. The issue
>is issuance of incorrectly expired cookies that MSIE chokes upon.
>Cookies are spit out formatted like: Day, DD-MON-YY HH:MM:SS GMT
>whereas they SHOULD be spit out like Day, DD-MON-YYYY HH:MM:SS GMT
>
>The code in question varies depending on the src tree, but is essentially:
>
>tms->tm_year % 100
>and should be
>tms->tm_year + 1900
>
>and a change from .2d to .4d in the printf line above.
>
>Replies to banshee@NOSPAMresort.com, remove the NOSPAM part. All
>mail to this address is dumped.
>
>
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
pure chewing satisfaction brian@apache.org
brian@hyperreal.org