[AnyEvent::HTTP] bug while handling cookie

Andrey Khozov avkhozov at googlemail.com
Thu Jul 18 20:06:26 CEST 2013


Sorry for confusing strings (it was html formatting).

Thank you for your point of view.


On Thu, Jul 18, 2013 at 11:54 PM, Marc Lehmann <schmorp at schmorp.de> wrote:

> On Thu, Jul 18, 2013 at 11:40:14PM +0600, Andrey Khozov <
> avkhozov at googlemail.com> wrote:
> > ​When AE::HTTP get header
> > *Set-Cookie: name=data; Path=/; Domain=example.com*
> > in jar appear a key '*.example.com*' (with leading point)
> > And at the next http request cookies are not sent.
>
> Your mails are very confusing - I assume '* means a start quote and *'
> means an end quote (using consistent quoting would help enourmously), so
> the two strings are:
>
>    example.com
>    .example.com
>
> And for this, yes, as per most of the specs and as used in the real world,
> the cookie should not be send, as .example.com only matches subdomains of
> example.com. Sending it unconditionally is a security risk.
>
> So, this is not a bug.
>
> Keep in mind that AE::HTTP doesn't enforce it's cookie management, it's
> entirely optional, and, as mentioned in the documentation, you can use
> other implementations that might implement your take on how cookies should
> work, or implement your own.
>
> Again, there is no official specification (or rather, there are many, but
> no agreed-upon one) for how this should be done, so your idea is likely as
> good as mine. AE::HTTP is designed to err on the conservative side.
>
> --
>                 The choice of a       Deliantra, the free code+content
> MORPG
>       -----==-     _GNU_              http://www.deliantra.net
>       ----==-- _       generation
>       ---==---(_)__  __ ____  __      Marc Lehmann
>       --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
>       -=====/_/_//_/\_,_/ /_/\_\
>



-- 
Andrey Khozov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schmorp.de/pipermail/anyevent/attachments/20130719/d0f6ea64/attachment.html>


More information about the anyevent mailing list