[
https://issues.apache.org/jira/browse/HTTPCLIENT-1006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15785249#comment-15785249
]
Detlev Beutner commented on HTTPCLIENT-1006:
--------------------------------------------
Hi Oleg,
Sorry to hear that; I don't know how to explain this better, especially if you
don't give a hint where's the issue in understanding.
Anyhow, let's break this down to the core technical question: If a server sends
a cookie, how does the client have to return this one.
RFC 6265 on the one hand defines how the server sends a cookie to the client
(4.1.1):
{quote}set-cookie-string = cookie-pair *( ";" SP cookie-av )
cookie-pair = cookie-name "=" cookie-value
cookie-name = token
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ){quote}
On the other hand, it defines how such received cookies are to be sent back to
a server (4.2.1):
{quote}cookie-header = "Cookie:" OWS cookie-string OWS
cookie-string = cookie-pair *( ";" SP cookie-pair ){quote}
... where cookie-pair is the cookie-pair from above!
And explicitly (4.2.2):
{quote}The cookie-pair contains the cookie-name and cookie-value the user agent
received in the Set-Cookie header.{quote}
So a cookie whose value came in DQs also has to be sent back in DQs. That's the
core bug.
One might argue if _other_ accesses to cookie values should return the DQs or
not (i.e., if they should be interpreted as a pure "transport mechanism", then:
no; or if the DQs really should be part of the _semantic_ value, then: yes).
But that's not what we are discussing here. _That_ discussion might lead to
extensions to the Cookie interface, where (just a thought) the getValue method
might be accompanied by an additional getRawValue method (then getValue would
return a value without DQs, whereas getRawValue would return the complete
_cookie-value_ as received via the network, so in the DQ case, with DQs). But
as said, that's more the question _how to fix this_.
Best regards
Detlev
> BrowserCompatSpec: don't trim " around cookie value
> ---------------------------------------------------
>
> Key: HTTPCLIENT-1006
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1006
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.0.2
> Reporter: Marc Guillemot
>
> If the server sends a cookie header like:
> Set-Cookie: first="hello world"
> then HttpClient parses it as cookie with value >hello world<, wrongly
> removing the leading and trailing quotes. The incorrect quote removal occurs
> in BasicHeaderValueParser.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
