You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/08/05 18:52:47 UTC

DO NOT REPLY [Bug 11475] New: - usertrack can read Cookie2 header but spec says it doesn't contain cookies

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11475>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11475

usertrack can read Cookie2 header but spec says it doesn't contain cookies

           Summary: usertrack can read Cookie2 header but spec says it
                    doesn't contain cookies
           Product: Apache httpd-2.0
           Version: 2.0.39
          Platform: All
               URL: ftp://ftp.isi.edu/in-notes/rfc2965.txt
        OS/Version: All
            Status: NEW
          Severity: Minor
          Priority: Other
         Component: mod_usertrack
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: chrisd@pearsoncmg.com


If the CookieStyle configuration directive is set to Cookie2 or RFC2965, then
mod_usertrack sets dcfg->style = CT_COOKIE2.  In turn, the spot_cookie()
function will then parse the Cookie2: request header, looking for the Apache
cookie:

    cookie = apr_table_get(r->headers_in,
        (dcfg->style == CT_COOKIE2 ? "Cookie2" : "Cookie"))

However, reading the RFC 2965 specification, specifically section 3.3.5,
it appears to me that the Cookie2: header is only used to indicate the
highest version of the cookie specification that the client understands.
Per 3.3.4, the actual cookie values are still sent in the Cookie: header.
(See also 9.1 and the examples under 4.1 and 4.2.)

As a further note, it seems to me -- I could be reading the spec or code
incorrectly, of course -- that the cookie parsing code in spot_cookie()
may not really work with RFCs 2109 or 2965, because it doesn't accept
commas as cookie delimiters, nor the whitespace or double-quote (")
quoted-strings allowed by those RFCs.  See 10.1.3 in RFC 2109, as well
as 4.1 and 4.3.4 in RFC 2109, and 3.1 and 3.3.4 in RFC 2965.
My apologies if I've misread something!

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org