[AnyEvent::HTTP] bug while handling cookie

Marc Lehmann schmorp at schmorp.de
Thu Jul 18 19:54:36 CEST 2013


On Thu, Jul 18, 2013 at 11:40:14PM +0600, Andrey Khozov <avkhozov at googlemail.com> wrote:
> ​When AE::HTTP get header
> *Set-Cookie: name=data; Path=/; Domain=example.com*
> in jar appear a key '*.example.com*' (with leading point)
> And at the next http request cookies are not sent.

Your mails are very confusing - I assume '* means a start quote and *'
means an end quote (using consistent quoting would help enourmously), so
the two strings are:

   example.com
   .example.com

And for this, yes, as per most of the specs and as used in the real world,
the cookie should not be send, as .example.com only matches subdomains of
example.com. Sending it unconditionally is a security risk.

So, this is not a bug.

Keep in mind that AE::HTTP doesn't enforce it's cookie management, it's
entirely optional, and, as mentioned in the documentation, you can use
other implementations that might implement your take on how cookies should
work, or implement your own.

Again, there is no official specification (or rather, there are many, but
no agreed-upon one) for how this should be done, so your idea is likely as
good as mine. AE::HTTP is designed to err on the conservative side.

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
      -=====/_/_//_/\_,_/ /_/\_\



More information about the anyevent mailing list