Skip to content
Browse files

From: Andreas Gustafsson <gson@araneus.fi>

Subject: HTTP::Cookies vs. Netscape cookies, part 1: domain matching
To: libwww-perl@ics.uci.edu
Date: 30 Sep 1998 14:18:34 +0200
Return-Path: <libwww-perl-request@ics.uci.edu>
Received: from binky.ics.uci.edu (mmdf@binky.ics.uci.edu [128.195.1.14]) by mail1.sol.no (8.9.1a/8.9.1/1.13)
	with SMTP id <OAA25191> for <gisle@aas.no>; Wed, 30 Sep 1998 14:37:46 +0200 (MET DST)
Received: from ics.uci.edu by binky.ics.uci.edu id aa28492; 30 Sep 98 5:32 PDT
Received: from paris.ics.uci.edu by binky.ics.uci.edu id aa28488;
          30 Sep 98 5:20 PDT
Received: from paris.ics.uci.edu by paris.ics.uci.edu id aa12507;
          30 Sep 98 5:19 PDT
Received: (from gson@localhost) by guava.araneus.fi (8.8.8/8.6.12) id PAA13168; Wed, 30 Sep 1998 15:18:34 +0300 (EEST)
Message-Id: <199809301218.PAA13168@guava.araneus.fi>
X-Mailing-List: <libwww-perl@ics.uci.edu> archive/1998-q3/360
X-Loop: libwww-perl@ics.uci.edu
Precedence: list
Errors-To: libwww-perl-request@ics.uci.edu
Sender: libwww-perl-request@ics.uci.edu
X-UIDL: cfb5abac5a14022e816528f928d5e82a
Status: U
Lines: 95
Xref: furu.g.aas.no lwp:2028

Here's one case where HTTP::Cookies still fails to handle
Netscape-style cookies correctly.

Suppose the web server foo.bar.fi issues a cookie:

  Set-Cookie: NAME=VALUE; PATH=/; DOMAIN=foo.bar.fi

Later, we contact a second web server baz.foo.bar.fi.
The above cookie should be sent to the server baz.foo.bar.fi
according to the Netscape rules, but HTTP::Cookies won't.

My analysis of the problems is as follows.  In
HTTP::Cookies::extract_cookies, the test
"if (defined($domain) && $domain ne $req_host)"
becomes false, because the DOMAIN= attribute matches
the host name of the issuing host.  Therefore,
no leading dot is added to the domain foo.bar.fi.

Later, in add_cookie_header, the following attempts
are made to match the host name baz.foo.bar.fi
with the domain:

  baz.foo.bar.fi	!= foo.bar.fi
  .foo.bar.fi		!= foo.bar.fi
  .bar.fi		!= foo.bar.fi

These attempts all fail, thus the Cookie header is never sent.

The patch below fixes the problem for me, but it is not as clean
as I would like.
  • Loading branch information...
1 parent 632f2f9 commit 3ebcc3d76a76a3da8a92c76e11d99edaa612b611 Gisle Aas committed Oct 3, 1998
Showing with 24 additions and 3 deletions.
  1. +24 −3 lib/HTTP/Cookies.pm
View
27 lib/HTTP/Cookies.pm
@@ -9,7 +9,7 @@ use HTTP::Headers::Util qw(split_header_words join_header_words);
use LWP::Debug ();
use vars qw($VERSION);
-$VERSION = sprintf("%d.%02d", q$Revision: 1.6 $ =~ /(\d+)\.(\d+)/);
+$VERSION = sprintf("%d.%02d", q$Revision: 1.7 $ =~ /(\d+)\.(\d+)/);
=head1 NAME
@@ -108,6 +108,7 @@ sub add_cookie_header
my @cval; # cookie values for the "Cookie" header
my $set_ver;
+ my $netscape_only = 0; # An exact domain match applies to any cookie
while (($domain =~ tr/././) >= 2 || # must be at least 2 dots
$domain =~ /\.local$/)
@@ -156,6 +157,12 @@ sub add_cookie_header
next;
}
}
+ if ($version > 0 && $netscape_only) {
+ LWP::Debug::debug(" domain $domain applies to " .
+ "Netscape-style cookies only");
+ next;
+ }
+
LWP::Debug::debug(" it's a match");
# set version number of cookie header.
@@ -191,8 +198,22 @@ sub add_cookie_header
}
} continue {
- # Try with a more general domain: www.sol.no ==> .sol.no
- $domain =~ s/^\.?[^.]*//;
+ # Try with a more general domain, alternately stripping
+ # leading name components and leading dots. When this
+ # results in a domain with no leading dot, it is for
+ # Netscape cookie compatibility only:
+ #
+ # a.b.c.net Any cookie
+ # .b.c.net Any cookie
+ # b.c.net Netscape cookie only
+ # .c.net Any cookie
+
+ if ($domain =~ s/^\.+//) {
+ $netscape_only = 1;
+ } else {
+ $domain =~ s/[^.]*//;
+ $netscape_only = 0;
+ }
}
$request->header(Cookie => join("; ", @cval)) if @cval;

0 comments on commit 3ebcc3d

Please sign in to comment.
Something went wrong with that request. Please try again.