----- Original Message ---- > From: Clinton Gormley <cl...@traveljury.com> > To: apreq-dev@httpd.apache.org > Sent: Saturday, February 14, 2009 8:21:51 AM > Subject: Cookie parsing errors: conflicting information, expected token not > present > > Hiya > > There has been some discussion about cookie parsing errors with > libapreq2 on the modperl list, and Joe Schafer said: > > What version of apreq was this? And did you report it to the > apreq-dev@ mailing list? > > While I have previously reported the errors I see to the modperl list, I > thought I'd send them here as well. > > This is in apache 2.2.4 with libapreq2-2.08, on linux x86_64. > > The code I use to parse the cookies is as follows: > > ------------------------------------------------------------------------ > my $req = APR::Request::Apache2->handle( $self->r ); > my %cookies; > if ( $req->jar_status =~ /^(?:Missing input data|Success)$/ ) { > my $jar = $req->jar; > foreach my $key ( keys %$jar ) { > $cookies{$key} = $jar->get($key); > } > } > > ## Send warning with headers to explain bad cookie > else { > warn( "COOKIE ERROR: " > . $req->jar_status . "\n" > . Data::Dumper::Dumper( $self->r->headers_in() ) ); > } > > ------------------------------------------------------------------------ > > The headers which get passed back to my users look like this: > > Set-Cookie: > SID=n4@@GcCoAzMAAF7rnv8AAAAC|d2cb80bdcfcb60a436f99d643349f3fe14e144ec; > path=/; > domain=www.xxxx.com > Set-Cookie: > UID=n4@@GcCoAzMAAF7rnv8AAAAC|d2cb80bdcfcb60a436f99d643349f3fe14e144ec; > path=/; > domain=www.xxxx.com; expires=Sun, 14-Feb-2010 13:06:36 GMT > > We run various sites, all of which have Google Analytics plus usually > some other form of click tracking and advertising, which set their own > cookies. > > Below are examples of Cookie headers that caused libapreq to throw one > of two errors: > > Conflicting information: > ------------------------ > > 'UID=MTj9S8CoAzMAAFEq21YAAAAG|c85a9e59db92b261408eb7539ff7f949b92c7d58; > $Version=0;SID=MTj9S8CoAzMAAFEq21YAAAAG|c85a9e59db92b261408eb7539ff7f949b92c7d58;$Domain=www.xxxx.com;$Path=/'
Should be $Version=1, as there is no specification that describes $Version=0. > 'UID=Gh9VxX8AAAIAAHP7h6AAAAAC|2e809a9cc99c2dca778c385ebdefc5cb86c95dc3; > SID=Gh9VxX8AAAIAAHP7h6AAAAAC|2e809a9cc99c2dca778c385ebdefc5cb86c95dc3; > $Version=1' The $Version=1 string needs to precede the cookie, not follow it. > 'UID=hCijN8CoAzMAAGVDO2QAAAAF|50299f079343fd6146257c105b1370f2da78246a; > SID=hCijN8CoAzMAAGVDO2QAAAAF|50299f079343fd6146257c105b1370f2da78246a; > $Path="/"; $Domain="www.xxxx.com"' Missing a $Version=1 token. > Expected token not present: [...] All of these have commas in them, which is disallowed by every cookie spec. > I realise that the cookies themselves may not be compliant, either > because of bad JS or buggy clients, but CGI.pm manages to parse all of > the examples below, in the same way that browsers try to cope with dodgy > HTML. It'd be nice if libapreq were a bit more DWIM. apreq is written to be standards compliant, and although more DWIM might be nice, it shouldn't come at a cost of violating the specifications (IMO).