You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/08/05 18:52:47 UTC
DO NOT REPLY [Bug 11475] New: -
usertrack can read Cookie2 header but spec says it doesn't contain cookies
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11475>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11475
usertrack can read Cookie2 header but spec says it doesn't contain cookies
Summary: usertrack can read Cookie2 header but spec says it
doesn't contain cookies
Product: Apache httpd-2.0
Version: 2.0.39
Platform: All
URL: ftp://ftp.isi.edu/in-notes/rfc2965.txt
OS/Version: All
Status: NEW
Severity: Minor
Priority: Other
Component: mod_usertrack
AssignedTo: bugs@httpd.apache.org
ReportedBy: chrisd@pearsoncmg.com
If the CookieStyle configuration directive is set to Cookie2 or RFC2965, then
mod_usertrack sets dcfg->style = CT_COOKIE2. In turn, the spot_cookie()
function will then parse the Cookie2: request header, looking for the Apache
cookie:
cookie = apr_table_get(r->headers_in,
(dcfg->style == CT_COOKIE2 ? "Cookie2" : "Cookie"))
However, reading the RFC 2965 specification, specifically section 3.3.5,
it appears to me that the Cookie2: header is only used to indicate the
highest version of the cookie specification that the client understands.
Per 3.3.4, the actual cookie values are still sent in the Cookie: header.
(See also 9.1 and the examples under 4.1 and 4.2.)
As a further note, it seems to me -- I could be reading the spec or code
incorrectly, of course -- that the cookie parsing code in spot_cookie()
may not really work with RFCs 2109 or 2965, because it doesn't accept
commas as cookie delimiters, nor the whitespace or double-quote (")
quoted-strings allowed by those RFCs. See 10.1.3 in RFC 2109, as well
as 4.1 and 4.3.4 in RFC 2109, and 3.1 and 3.3.4 in RFC 2965.
My apologies if I've misread something!
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org