I was reviewing the mod_usertrack docs and a few things jumped out at
me as "this should be corrected". So, I took it upon myself to do so
and the patch is attached.
Changes:
- Note about "two-part top level domain" cookies (such as .co.uk)
being invalid in most current browsers. As they fall into the "two-dot
rule" of the Netscape cookie spec (.domain.com), it may not be obvious
to someone who tries to set such a cookie why it is failing.
- A note that current browsers only fully support Netscape cookies.
While most browsers will accept a RFC2109 cookie, they tend to get
converted into a Netscape cookie internally, anyway. As browsers catch
up to the RFCs, this will have to be revisited.
- An update to the CookieTracking directive to be "more correct" now
that the world has embraced DSOs...
It may be nothing earth-shaking, but it does make me feel a tiny bit
better about mod_usertrack. :)
Warmest,
--Matt
--
/*
* Matt Lewandowsky [EMAIL PROTECTED]
* Random Geek http://www.iamcode.net/
* +1 (866) 606-9696 +44 (0) 844 484 8254
*/
Index: mod_usertrack.xml
===================================================================
--- mod_usertrack.xml (revision 413365)
+++ mod_usertrack.xml (working copy)
@@ -123,6 +123,16 @@
<p>The domain string <strong>must</strong> begin with a dot, and
<strong>must</strong> include at least one embedded dot. That is,
".foo.com" is legal, but "foo.bar.com" and ".com" are not.</p>
+
+ <note>
+ <p>Most browsers in use today will disallow cookies to be set for
+ a "two-part top level domain" such as <strong>.co.uk</strong>. This
+ is because a two-part top level domain is equivalent to a top level
+ domain such as <strong>.com</strong>. Allowing such cookies may be
+ seen as a security risk. If you are under a two-part top level
+ domain, use your actual domain (for example,
+ <strong>.foo.co.uk</strong>), instead.</p>
+ </note>
</usage>
</directivesynopsis>
@@ -209,7 +219,8 @@
<p>Not all clients can understand all of these formats. but you
should use the newest one that is generally acceptable to your
- users' browsers.</p>
+ users' browsers. As of mid-2006, most browsers only fully support
+ <code>CookieStyle Netscape</code>.</p>
</usage>
</directivesynopsis>
@@ -229,12 +240,12 @@
<override>FileInfo</override>
<usage>
- <p>When the user track module is compiled in, and
- "CookieTracking on" is set, Apache will start sending a
- user-tracking cookie for all new requests. This directive can
- be used to turn this behavior on or off on a per-server or
- per-directory basis. By default, compiling mod_usertrack will
- not activate cookies. </p>
+ <p>When <module>mod_usertrack</module> is enabled, and
+ <code>CookieTracking on</code> is set, Apache will send a
+ user-tracking cookie for all new requests. This directive can be
+ used to turn this behavior on or off on a per-server or per-directory
+ basis. By default, enabling <module>mod_usertrack</module> will not
+ activate cookies.</p>
</usage>
</directivesynopsis>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
