You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Nenad Steric <ne...@teleweb.at> on 2001/06/22 11:15:33 UTC
Re: Requests using If-Modified-Since cause response Set-Cookie to be
discarded
Hi Randal,
the reason i want this, is that i am building a authentication-scheme which
uses tickets to make sure that only one user can be logged in on one account.
When the ticket expires and the old user wants another page i want to silently
reissue a new ticket if nobody else tried to login with this account.
Another idea i might implement is that i could send a changed cookie on every
new page, so that even if somebody copied the cookie-file from one computer
to another he could not get in as user#1.
Makes sense ?
(or would you solve this problem in some other way?)
"Randal L. Schwartz" wrote:
>
> >>>>> "Doug" == Doug MacEachern <do...@covalent.net> writes:
>
> Doug> i passed it along the same day:
> Doug> http://hypermail.linklord.com/new-httpd/2001/Jun/0507.html
>
> Doug> still awaiting response on my interpretation of the rfc, seems perfectly
> Doug> valid to include the set-cookie header with a 304 response.
>
> Uh, it seems a bit fishy to me. "nothing's changed, but by the way,
> set this cookie please". Why change a cookie if nothing else has
> changed?
>
> --
> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
> <me...@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
> See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: Requests using If-Modified-Since cause response Set-Cookie to be discarded
Posted by Andrew Gilmartin <an...@dynamicdiagrams.com>.
Randal L. Schwartz writes
> Uh, it seems a bit fishy to me. "nothing's changed, but by the way,
> set this cookie please". Why change a cookie if nothing else has
> changed?
If the HTTP headers were only about the document then I would agree.
However, if we look at this set of headers from a typical request
Date: Tue, 19 Jun 2001 01:03:02 GMT
Server: Apache/1.3.20 (Unix) mod_perl/1.25
Set-Cookie:
session=69643d343037266c6173746163636573733d393932393132353933; path=/
Last-Modified: Mon, 18 Jun 2001 17:09:26 GMT
ETag: "25c4f-6-3b2e35c6"
Accept-Ranges: bytes
Content-Length: 6
Connection: close
Content-Type: text/html
Then Date, Server, Accept-Ranges, and Connection are about the server
while Last-Modified, Content-Length, and Content-Type are about the
document. The Set-Cookie could be about either. (I don't know what
ETag is for.) In my case, the cookie is related to the user's
interaction with the server far more than with the document. So I do
think it is valid to return Set-Cookie headers on a 304.
-- Andrew