Re: [PATCH] Cookies with blank expiry date

Sat, 24 Oct 2009 13:25:37 -0700 

On Wed, 14 Oct 2009, Daniel Stenberg wrote:

> Based on feedback I got on the http-state mailing list from a Firefox
> developer on this topic, we should probably consider making _all_ failures
> to parse the expire date as a reason to switch it to a session cookie and
> not just on blank dates, as that seems to be what Firefox does. (Still to
> be found out how others deal with such cookies) 

As discussed, I tested several browsers with these cookies:

1. EmptyDate cookie: "Expires="
2. BadDate cookie: "Expires=sometime"
3. ExtraCharsAfterDate: "Expires=Sun, 25-Oct-2009 20:15:56 GMT extra symbols"

The following three browsers behave in the same way, they treat EmptyDate
and BadDate as session cookies, but recognise the expiry date on the third
cookie:

        MSIE 8.0 on Win XP SP3
        Firefox 3.5.3 on Win XP SP3
        Epiphany (WebKit) 2.28.0 on Ubuntu 9.10 

The only exception was Konqueror/4.3 (KHTML/4.3.2), it treats all three as
session cookies.

Considering the above, I agree with Daniel, I think that any failure to parse
the cookie date in CURL should make it a session cookie. The patch against the
CVS HEAD is enclosed.

Regards,
Dima.


===================================================================
RCS file: /cvsroot/curl/curl/lib/cookie.c,v
retrieving revision 1.110
diff -u -r1.110 cookie.c
--- lib/cookie.c        28 Sep 2009 17:01:23 -0000      1.110
+++ lib/cookie.c        24 Oct 2009 20:04:45 -0000
@@ -363,9 +363,8 @@
               badcookie = TRUE;
               break;
             }
-            /* Note that we store -1 in 'expires' here if the date couldn't
-               get parsed for whatever reason. This will have the effect that
-               the cookie won't match. */
+            /* Note that if the date couldn't get parsed for whatever reason,
+               the cookie will be treated as a session cookie */
             co->expires = curl_getdate(what, &now);
 
             /* Session cookies have expires set to 0 so if we get that back
@@ -373,6 +372,8 @@
                non-session cookie */
             if (co->expires == 0)
               co->expires = 1;
+            else if( co->expires < 0 )
+                co->expires = 0;
           }
           else if(!co->name) {
             co->name = strdup(name);

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Reply via email to