[jira] Commented: (GERONIMO-3861) cookies need to be validated and filtered

Fri, 15 Feb 2008 10:30:33 -0800 

    [ 
https://issues.apache.org/jira/browse/GERONIMO-3861?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569354#action_12569354
 ] 

Sangjin Lee commented on GERONIMO-3861:
---------------------------------------

There are several cookie validation strategies out there that have subtle 
differences between them.  Although there is an RFC for HTTP state management 
(cookies), browsers often follow a more permissive strategy as set out by the 
original Netscape proposal.

One suggestion is to create a CookiePolicy interface, and create one or more 
concrete CookiePolicy implementations.

As for the implementation, one tricky part with the cookie validation (on the 
response) is that it needs to know at least the request URL to be able to 
perform the validation.  I don't think HttpResponseDecoder today knows anything 
about that...

I'll explore possible fixes for this, but I'd like to work with you on this 
closely...  Thanks!

> cookies need to be validated and filtered
> -----------------------------------------
>
>                 Key: GERONIMO-3861
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3861
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: AsyncHttpClient
>    Affects Versions: 1.x
>            Reporter: Sangjin Lee
>            Assignee: Rick McGuire
>            Priority: Minor
>
> Today AHC simply accepts all cookies from the response and emit all cookies 
> in the request.  However, the attributes need to be taken into consideration 
> when we set the cookies as well as when we send them.  Two parts of the issue:
> [1] When we emit the cookies in the request, we need to check 
> - if the domain matches
> - if the path matches
> - if the cookie has not expired
> - and if the cookie is secure (if the request protocol is http)
> before adding it to the Cookie header.
> [2] When we accept the cookies in the response, we need to check for the 
> domain and the path.  Note that we do not discard expired cookies, as that's 
> often a way to delete an existing cookie.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to