[
https://issues.apache.org/jira/browse/HTTPCLIENT-1646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Oleg Kalnichevski resolved HTTPCLIENT-1646.
-------------------------------------------
Resolution: Invalid
RFC 2109 , section 4.3.2
{noformat}
4.3.2 Rejecting Cookies
To prevent possible security or privacy violations, a user agent
rejects a cookie (shall not store its information) if any of the
following is true:
...
* The request-host is a FQDN (not IP address) and has the form HD,
where D is the value of the Domain attribute, and H is a string
that contains one or more dots.
Examples:
* A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com
would be rejected, because H is y.x and contains a dot.
{noformat}
Oleg
> Cookie domain and host depth
> ----------------------------
>
> Key: HTTPCLIENT-1646
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1646
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpCookie
> Affects Versions: 4.4.1
> Environment: JDK 1.8
> Reporter: Greg Hulands
>
> When connecting to a host with a domain name such as sub1.sub2.mydomain.com,
> http client with log the following message and reject the cookie.
> WARNING: Cookie rejected [sessionid="40720098-5f60-4440-96e4-9e5cafec2de8",
> version:1, domain:.mydomain.com, path:/, expiry:null] Domain attribute
> ".mydomain.com" violates RFC 2109: host minus domain may not contain any dots
> I was unable to find in the spec where this is actually specified for the
> domain attribute.
> This effectively limits cookies to be written only one subdomain higher than
> the current host. This happens in both RFC2965DomainAttributeHandler and
> RFC2109DomainAttributeHandler.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
