----- Original Message ----
> From: Clinton Gormley <cl...@traveljury.com>
> To: apreq-dev@httpd.apache.org
> Sent: Saturday, February 14, 2009 8:21:51 AM
> Subject: Cookie parsing errors: conflicting information, expected token not
> present
>
> Hiya
>
> There has been some discussion about cookie parsing errors with
> libapreq2 on the modperl list, and Joe Schafer said:
>
> What version of apreq was this? And did you report it to the
> apreq-dev@ mailing list?
>
> While I have previously reported the errors I see to the modperl list, I
> thought I'd send them here as well.
>
> This is in apache 2.2.4 with libapreq2-2.08, on linux x86_64.
>
> The code I use to parse the cookies is as follows:
>
> ------------------------------------------------------------------------
> my $req = APR::Request::Apache2->handle( $self->r );
> my %cookies;
> if ( $req->jar_status =~ /^(?:Missing input data|Success)$/ ) {
> my $jar = $req->jar;
> foreach my $key ( keys %$jar ) {
> $cookies{$key} = $jar->get($key);
> }
> }
>
> ## Send warning with headers to explain bad cookie
> else {
> warn( "COOKIE ERROR: "
> . $req->jar_status . "\n"
> . Data::Dumper::Dumper( $self->r->headers_in() ) );
> }
>
> ------------------------------------------------------------------------
>
> The headers which get passed back to my users look like this:
>
> Set-Cookie:
> SID=n4@@GcCoAzMAAF7rnv8AAAAC|d2cb80bdcfcb60a436f99d643349f3fe14e144ec;
> path=/;
> domain=www.xxxx.com
> Set-Cookie:
> UID=n4@@GcCoAzMAAF7rnv8AAAAC|d2cb80bdcfcb60a436f99d643349f3fe14e144ec;
> path=/;
> domain=www.xxxx.com; expires=Sun, 14-Feb-2010 13:06:36 GMT
>
> We run various sites, all of which have Google Analytics plus usually
> some other form of click tracking and advertising, which set their own
> cookies.
>
> Below are examples of Cookie headers that caused libapreq to throw one
> of two errors:
>
> Conflicting information:
> ------------------------
>
> 'UID=MTj9S8CoAzMAAFEq21YAAAAG|c85a9e59db92b261408eb7539ff7f949b92c7d58;
> $Version=0;SID=MTj9S8CoAzMAAFEq21YAAAAG|c85a9e59db92b261408eb7539ff7f949b92c7d58;$Domain=www.xxxx.com;$Path=/'
Should be $Version=1, as there is no specification that describes $Version=0.
> 'UID=Gh9VxX8AAAIAAHP7h6AAAAAC|2e809a9cc99c2dca778c385ebdefc5cb86c95dc3;
> SID=Gh9VxX8AAAIAAHP7h6AAAAAC|2e809a9cc99c2dca778c385ebdefc5cb86c95dc3;
> $Version=1'
The $Version=1 string needs to precede the cookie, not follow it.
> 'UID=hCijN8CoAzMAAGVDO2QAAAAF|50299f079343fd6146257c105b1370f2da78246a;
> SID=hCijN8CoAzMAAGVDO2QAAAAF|50299f079343fd6146257c105b1370f2da78246a;
> $Path="/"; $Domain="www.xxxx.com"'
Missing a $Version=1 token.
> Expected token not present:
[...]
All of these have commas in them, which is disallowed by every cookie spec.
> I realise that the cookies themselves may not be compliant, either
> because of bad JS or buggy clients, but CGI.pm manages to parse all of
> the examples below, in the same way that browsers try to cope with dodgy
> HTML. It'd be nice if libapreq were a bit more DWIM.
apreq is written to be standards compliant, and although more DWIM might be
nice, it shouldn't come at a cost of violating the specifications (IMO).
