[AnyEvent::HTTP] bug while handling cookie

Lee Aylward lee at laylward.com
Fri Jul 19 02:45:16 CEST 2013


On Jul 18, 2013, at 1:54 PM, Marc Lehmann <schmorp at schmorp.de> wrote:

> On Thu, Jul 18, 2013 at 11:40:14PM +0600, Andrey Khozov <avkhozov at googlemail.com> wrote:
>> ​When AE::HTTP get header
>> *Set-Cookie: name=data; Path=/; Domain=example.com*
>> in jar appear a key '*.example.com*' (with leading point)
>> And at the next http request cookies are not sent.
> 
> Your mails are very confusing - I assume '* means a start quote and *'
> means an end quote (using consistent quoting would help enourmously), so
> the two strings are:
> 
>   example.com
>   .example.com
> 
> And for this, yes, as per most of the specs and as used in the real world,
> the cookie should not be send, as .example.com only matches subdomains of
> example.com. Sending it unconditionally is a security risk.
> 
> So, this is not a bug.
> 
> Keep in mind that AE::HTTP doesn't enforce it's cookie management, it's
> entirely optional, and, as mentioned in the documentation, you can use
> other implementations that might implement your take on how cookies should
> work, or implement your own.
> 
> Again, there is no official specification (or rather, there are many, but
> no agreed-upon one) for how this should be done, so your idea is likely as
> good as mine. AE::HTTP is designed to err on the conservative side.
> 

FWIW, just about every browser I've seen behaves as Andrey describes.

-- 
Lee


More information about the anyevent mailing list