[AnyEvent::HTTP] bug while handling cookie

Andrey Khozov avkhozov at googlemail.com
Thu Jul 18 19:40:14 CEST 2013


On Thu, Jul 18, 2013 at 10:25 PM, Marc Lehmann <schmorp at schmorp.de> wrote:

> On Thu, Jul 18, 2013 at 10:03:04PM +0600, Andrey Khozov <
> avkhozov at googlemail.com> wrote:
> > I know that when HTTP server sends to client a following header:
> >
> > *
> ​​
> Set-Cookie: name=data; Path=/; Domain=example.com*
> >
> > User agent for the next request to *http://example.com* should send to
> the
> > server this header:
> >
> > *Cookie: name=data*
> >
> > AnyEvent::HTTP does not it.
>
> I think it does - at least if I modify your example program to use
> "example.com" in the jar and in the extract call, it does extract the
> cookie, and I have no reason to believe that it wouldn't do the same when
> used internally.
>
> It also seems to be a different issue than what you were talking about
> before. (.example.com vs. example.com).
>


​When AE::HTTP get header
*Set-Cookie: name=data; Path=/; Domain=example.com*
in jar appear a key '*.example.com*' (with leading point)
And at the next http request cookies are not sent.



>
> > This is described in http://tools.ietf.org/html/rfc6265#section-4.1.2.3,
> for example.
>
> And it is also what ae::http implements.
>
> Note also that you are quoting the wrong section, the relevant section is
> 5.1.3 (Domain Matching), section 4 is completely irrelevant for this
> problem.
>
> > I realized that my previous patch is not correct, but the current
> behavior
> > of the AE::HTTP is also not correct.
>
> You have given zero evidence for that so far though - in fact, your
> evidence shows that it works according to the RFC for at least for that
> domain (ae::http does not even attempt to implement rfc6265).
>
> Lastly, what counts is not that rfc or any other, as real world servers
> expect slightly different rules. AnyEvent::HTTP tries to follow whats
> practical, not any of the many rfcs that were never implemented by
> anybody.
>
> Again, whats corretc or not is a difficult question, and cannot be
> answered by quoting the (mostly irrelevant) RFCs on this topic.
>
> --
>                 The choice of a       Deliantra, the free code+content
> MORPG
>       -----==-     _GNU_              http://www.deliantra.net
>       ----==-- _       generation
>       ---==---(_)__  __ ____  __      Marc Lehmann
>       --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
>       -=====/_/_//_/\_,_/ /_/\_\
>



-- 
Andrey Khozov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schmorp.de/pipermail/anyevent/attachments/20130718/625c83c9/attachment.html>


More information about the anyevent mailing list