Re: apache week and cookies and a patch

[Paul Sutton <pa...@ukweb.com>]

On Thu, 30 May 1996, Rob Hartill wrote:
> http://www.ukweb.com/support/apacheweek/96may24
> "When a CGI program sends multiple cookie headers (Set-Cookie:), Apache
>   merges them into one HTTP header. It does this with all headers of the
>   same name, since this is a standard part of the HTTP specification.
>   Unfortunately, the Netscape cookie specification does not allow
>   multiple cookies on one header, but does allow multiple Set-Cookie:
>   headers. While this breaks the HTTP specification, Apache will probably
>   be updated in a future to send multiple cookies"
>
> Would multiple cookie headers break the HTTP spec?   I think not.
> My reading of the spec a while back gave me the impression that
> multiple headers and merged headers are equivalent. Merged headers
> are prefered because they save bandwidth.

Yes, that's exactly the point [I wrote that bit of apache week, BTW].
Multiple headers are equivalent to a single header with comma-separate
parts, but the Netscape cookie spec gives no representation for a
comma-separated list on the Set-Cookie: header.  So the Netscape spec is
broken with regard to the HTTP 1.0 spec.

The issue then is whether Apache should be updated to reflect the Netscape
cookie implementation over and above the HTTP specification. Apache will
still be HTTP/1.0 compliant, but it will have to be hacked to know that in
one particular case, it cannot merge multiple headers into one. That is
what I meant when I referred to the Netscape spec 'breaking' the HTTP/1.0
spec.

I've attached a simple patch which does this, if desired. The patch adds a
new table function, table_add(), in alloc.c which adds a duplicate key
into a table, then duplicate set-cookie headers as table_add()'ed to the
outgoing headers in scan_script_header(), if the NETSCAPE_COOKIE_HACK
define is set.

In detail, the new RFC1945 which defines HTTP/1.0 says:

  "Multiple HTTP-header fields with the same field-name may be present
   in a message if and only if the entire field-value for that header
   field is defined as a comma-separated list" [1] para 4.2

But the Netscape spec defines the Set-Cookie header with
no representation of multiple cookies on a single header (i.e. no
comma-separated list):

  "Set-Cookie: NAME=VALUE; expires=DATE; path=PATH;
	domain=DOMAIN_NAME; secure" [2]

Therefore, from [1], multiple Set-Cookie: headers are not allowed.

Paul

[1] http://ds.internic.net/rfc/rfc1945.txt
[2] http://proto.netscape.com/newsref/std/cookie_spec.html

--
Paul Sutton, Technical Director, UK Web --- http://www.ukweb.com/~paul/

Re: apache week and cookies and a patch

[Mark J Cox <ma...@ukweb.com>]

> +1.  Does mod_cookies cause any problems when used in combination with
> CGI's?  Should that be modified too?

+1 to Paul's patch

mod_cookies (+1 to rename to mod_tracking in 1.2) doesn't interfere with
cookies generated by user CGI programs;  currently one Set-Cookie line is
generated for tracking, and one Set-Cookie line for all the Set-Cookies
output by the CGI.

Mark

Re: apache week and cookies and a patch

[Brian Behlendorf <br...@organic.com>]

On Fri, 31 May 1996, Paul Sutton wrote:
> The issue then is whether Apache should be updated to reflect the Netscape
> cookie implementation over and above the HTTP specification. Apache will
> still be HTTP/1.0 compliant, but it will have to be hacked to know that in
> one particular case, it cannot merge multiple headers into one. That is
> what I meant when I referred to the Netscape spec 'breaking' the HTTP/1.0
> spec.
> 
> I've attached a simple patch which does this, if desired. The patch adds a
> new table function, table_add(), in alloc.c which adds a duplicate key
> into a table, then duplicate set-cookie headers as table_add()'ed to the
> outgoing headers in scan_script_header(), if the NETSCAPE_COOKIE_HACK
> define is set.

+1.  Does mod_cookies cause any problems when used in combination with 
CGI's?  Should that be modified too?

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  |  We're hiring!  http://www.organic.com/Home/Info/Jobs/