You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe Jr." <wm...@gmail.com> on 2014/03/07 22:25:39 UTC
Logging multiple values for the same cookie name?
In working through this code, I realized that you may have multiple cookie
headers of multiple values for the same cookie name.
Mark Thomas looked at the spec for me and determined they would be entirely
permissible by RFC 6265 S4.2.2. But today we simply log one and done.
I don't want to hold up 2.4 or 2.2 for such an issue, but would like to
correct it in the near-term. The discussion question is; how to indicate a
value list rather than a value in our logging?
On Mar 7, 2014 2:57 PM, <wr...@apache.org> wrote:
> Author: wrowe
> Date: Fri Mar 7 20:56:24 2014
> New Revision: 1575400
>
> URL: http://svn.apache.org/r1575400
> Log:
> Clean up the cookie logging parser to recognize only the cookie=value
> pairs,
> not valueless cookies. This refactors multiple passes over the same string
> buffer into a single pass parser.
>
> Submitted by: wrowe
> Reviewed by: rpluem, jim
>
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/loggers/mod_log_config.c
>
> Modified: httpd/httpd/trunk/CHANGES
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1575400&r1=1575399&r2=1575400&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Mar 7 20:56:24 2014
> @@ -1,6 +1,10 @@
> -*- coding:
> utf-8 -*-
> Changes with Apache 2.5.0
>
> + *) Clean up cookie logging with fewer redundant string parsing passes.
> + Log only cookies with a value assignment.
> + [William Rowe, Ruediger Pluem, Jim Jagielski]
> +
> *) mod_ssl: Do not perform SNI / Host header comparison in case of a
> forward proxy request. [Ruediger Pluem]
>
>
> Modified: httpd/httpd/trunk/modules/loggers/mod_log_config.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_log_config.c?rev=1575400&r1=1575399&r2=1575400&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/modules/loggers/mod_log_config.c (original)
> +++ httpd/httpd/trunk/modules/loggers/mod_log_config.c Fri Mar 7 20:56:24
> 2014
> @@ -543,14 +543,24 @@ static const char *log_cookie(request_re
>
> while ((cookie = apr_strtok(cookies, ";", &last1))) {
> char *name = apr_strtok(cookie, "=", &last2);
> - if (name) {
> - char *value = name + strlen(name) + 1;
> - apr_collapse_spaces(name, name);
> + /* last2 points to the next char following an '=' delim,
> + or the trailing NUL char of the string */
> + char *value = last2;
> + if (name && *name && value && *value) {
> + char *last = value - 2;
> + /* Move past leading WS */
> + name += strspn(name, " \t");
> + while (last >= name && apr_isspace(*last)) {
> + *last = '\0';
> + --last;
> + }
>
> if (!strcasecmp(name, a)) {
> - char *last;
> - value += strspn(value, " \t"); /* Move past leading
> WS */
> - last = value + strlen(value) - 1;
> + /* last1 points to the next char following the ';'
> delim,
> + or the trailing NUL char of the string */
> + last = last1 - (*last1 ? 2 : 1);
> + /* Move past leading WS */
> + value += strspn(value, " \t");
> while (last >= value && apr_isspace(*last)) {
> *last = '\0';
> --last;
> @@ -559,6 +569,7 @@ static const char *log_cookie(request_re
> return ap_escape_logitem(r->pool, value);
> }
> }
> + /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
> cookies = NULL;
> }
> }
>
>
>
RE: Logging multiple values for the same cookie name?
Posted by Plüm,
Rüdiger,
Vodafone Group <ru...@vodafone.com>.
+1
Regards
Rüdiger
> -----Original Message-----
> From: Yann Ylavic [mailto:ylavic.dev@gmail.com]
> Sent: Freitag, 7. März 2014 22:50
> To: httpd
> Subject: Re: Logging multiple values for the same cookie name?
>
> On Fri, Mar 7, 2014 at 10:29 PM, André Malo <nd...@perlig.de> wrote:
> > * William A. Rowe Jr. wrote:
> >
> >> In working through this code, I realized that you may have multiple
> >> cookie headers of multiple values for the same cookie name.
> >>
> >> Mark Thomas looked at the spec for me and determined they would be
> >> entirely permissible by RFC 6265 S4.2.2. But today we simply log one
> and
> >> done.
> >>
> >> I don't want to hold up 2.4 or 2.2 for such an issue, but would like to
> >> correct it in the near-term. The discussion question is; how to
> indicate
> >> a value list rather than a value in our logging?
> >
> > I'd suggest separating the values with semicolons.
>
> +1
Re: Logging multiple values for the same cookie name?
Posted by Yann Ylavic <yl...@gmail.com>.
On Fri, Mar 7, 2014 at 10:29 PM, André Malo <nd...@perlig.de> wrote:
> * William A. Rowe Jr. wrote:
>
>> In working through this code, I realized that you may have multiple
>> cookie headers of multiple values for the same cookie name.
>>
>> Mark Thomas looked at the spec for me and determined they would be
>> entirely permissible by RFC 6265 S4.2.2. But today we simply log one and
>> done.
>>
>> I don't want to hold up 2.4 or 2.2 for such an issue, but would like to
>> correct it in the near-term. The discussion question is; how to indicate
>> a value list rather than a value in our logging?
>
> I'd suggest separating the values with semicolons.
+1
Re: Logging multiple values for the same cookie name?
Posted by André Malo <nd...@perlig.de>.
* William A. Rowe Jr. wrote:
> In working through this code, I realized that you may have multiple
> cookie headers of multiple values for the same cookie name.
>
> Mark Thomas looked at the spec for me and determined they would be
> entirely permissible by RFC 6265 S4.2.2. But today we simply log one and
> done.
>
> I don't want to hold up 2.4 or 2.2 for such an issue, but would like to
> correct it in the near-term. The discussion question is; how to indicate
> a value list rather than a value in our logging?
I'd suggest separating the values with semicolons.
nd
--
"Das Verhalten von Gates hatte mir bewiesen, dass ich auf ihn und seine
beiden Gefährten nicht zu zählen brauchte" -- Karl May, "Winnetou III"
Im Westen was neues: <http://pub.perlig.de/books.html#apache2>
Re: Logging multiple values for the same cookie name?
Posted by Jim Jagielski <ji...@jaguNET.com>.
+1
On Mar 7, 2014, at 6:58 PM, William A. Rowe Jr. <wm...@gmail.com> wrote:
> So I am happy to agree with the semicolon list delimiter for logging.
> On Mar 7, 2014 5:09 PM, "Yann Ylavic" <yl...@gmail.com> wrote:
> On Sat, Mar 8, 2014 at 12:06 AM, William A. Rowe Jr. <wm...@gmail.com> wrote:
> >
> > On Mar 7, 2014 4:50 PM, "Yann Ylavic" <yl...@gmail.com> wrote:
> >>
> >> On Fri, Mar 7, 2014 at 10:25 PM, William A. Rowe Jr. <wm...@gmail.com>
> >> wrote:
> >> > In working through this code, I realized that you may have multiple
> >> > cookie
> >> > headers of multiple values for the same cookie name.
> >> >
> >> > Mark Thomas looked at the spec for me and determined they would be
> >> > entirely
> >> > permissible by RFC 6265 S4.2.2. But today we simply log one and done.
> >>
> >> I can't presume how far you plan to handle the multiple cookie
> >> headers, but should you handle "Cookie: name1=value1, name2=value2" as
> >> two distinct cookies (like comma separated headers defined by the HTTP
> >> RFC), it's good to know that most (if not all) user-agents won't,
> >> mostly because applications (cookie setters) won't either quote
> >> Set-Cookie values or attributes containing comma (double-quotes were
> >> not defined with cookies version 0).
> >>
> >> As a consequence, the above is commonly considered a single cookie
> >> named [name1] with value [value1, name2=value2]...
> >
> > Did you mean comma? Or semicolon?
>
> Comma yes.
> Semicolon is the only de facto cookie separator.
Re: Logging multiple values for the same cookie name?
Posted by "William A. Rowe Jr." <wm...@gmail.com>.
So I am happy to agree with the semicolon list delimiter for logging.
On Mar 7, 2014 5:09 PM, "Yann Ylavic" <yl...@gmail.com> wrote:
> On Sat, Mar 8, 2014 at 12:06 AM, William A. Rowe Jr. <wm...@gmail.com>
> wrote:
> >
> > On Mar 7, 2014 4:50 PM, "Yann Ylavic" <yl...@gmail.com> wrote:
> >>
> >> On Fri, Mar 7, 2014 at 10:25 PM, William A. Rowe Jr. <wm...@gmail.com>
> >> wrote:
> >> > In working through this code, I realized that you may have multiple
> >> > cookie
> >> > headers of multiple values for the same cookie name.
> >> >
> >> > Mark Thomas looked at the spec for me and determined they would be
> >> > entirely
> >> > permissible by RFC 6265 S4.2.2. But today we simply log one and done.
> >>
> >> I can't presume how far you plan to handle the multiple cookie
> >> headers, but should you handle "Cookie: name1=value1, name2=value2" as
> >> two distinct cookies (like comma separated headers defined by the HTTP
> >> RFC), it's good to know that most (if not all) user-agents won't,
> >> mostly because applications (cookie setters) won't either quote
> >> Set-Cookie values or attributes containing comma (double-quotes were
> >> not defined with cookies version 0).
> >>
> >> As a consequence, the above is commonly considered a single cookie
> >> named [name1] with value [value1, name2=value2]...
> >
> > Did you mean comma? Or semicolon?
>
> Comma yes.
> Semicolon is the only de facto cookie separator.
>
Re: Logging multiple values for the same cookie name?
Posted by Yann Ylavic <yl...@gmail.com>.
On Sat, Mar 8, 2014 at 12:06 AM, William A. Rowe Jr. <wm...@gmail.com> wrote:
>
> On Mar 7, 2014 4:50 PM, "Yann Ylavic" <yl...@gmail.com> wrote:
>>
>> On Fri, Mar 7, 2014 at 10:25 PM, William A. Rowe Jr. <wm...@gmail.com>
>> wrote:
>> > In working through this code, I realized that you may have multiple
>> > cookie
>> > headers of multiple values for the same cookie name.
>> >
>> > Mark Thomas looked at the spec for me and determined they would be
>> > entirely
>> > permissible by RFC 6265 S4.2.2. But today we simply log one and done.
>>
>> I can't presume how far you plan to handle the multiple cookie
>> headers, but should you handle "Cookie: name1=value1, name2=value2" as
>> two distinct cookies (like comma separated headers defined by the HTTP
>> RFC), it's good to know that most (if not all) user-agents won't,
>> mostly because applications (cookie setters) won't either quote
>> Set-Cookie values or attributes containing comma (double-quotes were
>> not defined with cookies version 0).
>>
>> As a consequence, the above is commonly considered a single cookie
>> named [name1] with value [value1, name2=value2]...
>
> Did you mean comma? Or semicolon?
Comma yes.
Semicolon is the only de facto cookie separator.
Re: Logging multiple values for the same cookie name?
Posted by "William A. Rowe Jr." <wm...@gmail.com>.
On Mar 7, 2014 4:50 PM, "Yann Ylavic" <yl...@gmail.com> wrote:
>
> On Fri, Mar 7, 2014 at 10:25 PM, William A. Rowe Jr. <wm...@gmail.com>
wrote:
> > In working through this code, I realized that you may have multiple
cookie
> > headers of multiple values for the same cookie name.
> >
> > Mark Thomas looked at the spec for me and determined they would be
entirely
> > permissible by RFC 6265 S4.2.2. But today we simply log one and done.
>
> I can't presume how far you plan to handle the multiple cookie
> headers, but should you handle "Cookie: name1=value1, name2=value2" as
> two distinct cookies (like comma separated headers defined by the HTTP
> RFC), it's good to know that most (if not all) user-agents won't,
> mostly because applications (cookie setters) won't either quote
> Set-Cookie values or attributes containing comma (double-quotes were
> not defined with cookies version 0).
>
> As a consequence, the above is commonly considered a single cookie
> named [name1] with value [value1, name2=value2]...
Did you mean comma? Or semicolon?
Re: Logging multiple values for the same cookie name?
Posted by Yann Ylavic <yl...@gmail.com>.
On Fri, Mar 7, 2014 at 10:25 PM, William A. Rowe Jr. <wm...@gmail.com> wrote:
> In working through this code, I realized that you may have multiple cookie
> headers of multiple values for the same cookie name.
>
> Mark Thomas looked at the spec for me and determined they would be entirely
> permissible by RFC 6265 S4.2.2. But today we simply log one and done.
I can't presume how far you plan to handle the multiple cookie
headers, but should you handle "Cookie: name1=value1, name2=value2" as
two distinct cookies (like comma separated headers defined by the HTTP
RFC), it's good to know that most (if not all) user-agents won't,
mostly because applications (cookie setters) won't either quote
Set-Cookie values or attributes containing comma (double-quotes were
not defined with cookies version 0).
As a consequence, the above is commonly considered a single cookie
named [name1] with value [value1, name2=value2]...
Regards,
Yann.