Message125423
John: Ah sorry, if I misunderstood. The bug seems to say that it is about the Cookie Name and legal chars for this cookie name. What I was trying to say is that the processing of the Cookie Name is different depending if you are a client or a server *and* that there is a specification being developed by Adam Barth (part of browser vendors) to obsolete RFC 2109.
In the case of Server sending to the Client
Set-Cookie: Name=Value
The rules for production of the cookies must be strict. Always. aka the module is used for creating a cookie and indeed the "colon" character is forbidden. The "token" syntax for valid chars and invalid chars are defined now in RFC2696. It means that any US-ASCII characters EXCEPT those are authorized:
control characters (octets 0-31) and DEL (octet 127) and, the following characters “(“, “)”, “<”, “>”, “@”, “,”, “;”, “:”, “", “/”, “[“, “]”, “?”, “=”, “{“, “}”, the double quote character itself, US-ASCII SP (octet 32) or the tabulation (octet 9)
Then if you use the Cookie Module for a client it is not anymore the same story.
In the case of Client storing the value of the cookie sent by a server.
See the section "5.2. The Set-Cookie Header",
http://tools.ietf.org/html/draft-ietf-httpstate-cookie-20#section-5.2
quote:
If the user agent does not ignore the Set-Cookie header
field in its entirety, the user agent MUST parse the
field-value of the Set-Cookie header field as a
set-cookie-string (defined below).
NOTE: The algorithm below is more permissive than the
grammar in Section 4.1. For example, the algorithm strips
leading and trailing whitespace from the cookie name and
value (but maintains internal whitespace), whereas the
grammar in Section 4.1 forbids whitespace in these
positions. User agents use this algorithm so as to
interoperate with servers that do not follow the
recommendations in Section 4."
/quote
then the algorithm is described. Which means that what the server will parse will not be necessary what the server have generated.
Section 5.4 says how the Cookie Header should be sent to the server with an algorithm for what will receive the server.
John, do you think there is a missing algorithm for parsing the value of cookie header when sent by the client? |
|
Date |
User |
Action |
Args |
2011-01-05 13:23:38 | karlcow | set | recipients:
+ karlcow, tim.peters, akuchling, georg.brandl, jjlee, dstanek, jerry.seutter, BM, aclover, r.david.murray, BreamoreBoy |
2011-01-05 13:23:38 | karlcow | set | messageid: <1294233818.15.0.106426649592.issue2193@psf.upfronthosting.co.za> |
2011-01-05 13:23:36 | karlcow | link | issue2193 messages |
2011-01-05 13:23:36 | karlcow | create | |
|