On 07/19/2008 06:08 PM, Nick Kew wrote:
> Reviewing the backport proposal in STATUS, it amounts to
>
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?r1=6394
\
> 65&r2=664330&pathrev=664330
> It still seems to be at risk of generating a malformed cookie,
> if secure is unset (NULL) but httponly is set.
I ignore the way cookie parts are internally stored, but are they always
stored in this order (expires:path:secure:HttpOnly) ?
Couldn't we have ...:HttpOnly:secure ?
If so, we could end up with comparing strings with the wrong cookie part.
Also, in the internal format, "secure" and "httponly" could be stored as
"1" or "true" ?
In rev 664330, both"secure" and "httponly" are compared against "1" and
"true", in rev 647395 and in the patch attached to bug 44799, only
secure is compared against "1" and "true".
This is quite confusing ...
