Hi Oleg, then I was misinterpreting you. Let's put in some examples:
> RFC 2109 > > <quote> > 4.3.2 Rejecting Cookies > > To prevent possible security or privacy violations, a user agent rejects > a cookie (shall not store its information) if any of the following is > true: > > * The value for the Path attribute is not a prefix of the request-URI. > > </quote> request-URI: /Canada/whatever.asp Path attribute: / The Path attribute "/" of the received cookie is a prefix of the request-URI "/Canada/whatever.asp" from where it is set, so the cookie will not be rejected. In other words, a servlet can set cookies with a path shorter than it's own, but not longer than or different from it's own. cheers, Roland Oleg Kalnichevski <[EMAIL PROTECTED]> 17.02.2005 11:10 Please respond to "HttpClient User Discussion" To HttpClient User Discussion <[email protected]> cc Subject Re: cookie paths (was: Can someone please explain what these errors mean?) Roland, I still think the wording of the RFCs implies that "/Canada/" matches "/" but not the other way around. A cookie with a path attribute "/Canada" can be set at the URL "/", but not visa versa. Oleg On Thu, Feb 17, 2005 at 10:43:51AM +0100, Roland Weber wrote: > Hi Oleg, > > speaking from a string perspective, "/" is a prefix of both, > "/Canada" and "/Canada/whatever.asp". RFC 2965 mentions > string-matching for paths on top of page 2. > > cheers, > Roland > > > > > > Oleg Kalnichevski <[EMAIL PROTECTED]> > 17.02.2005 10:31 > Please respond to > "HttpClient User Discussion" > > > To > HttpClient User Discussion <[email protected]> > cc > > Subject > Re: cookie paths (was: Can someone please explain what these errors mean?) > > > > > > > RFC 2109 > > <quote> > 4.3.2 Rejecting Cookies > > To prevent possible security or privacy violations, a user agent rejects > a cookie (shall not store its information) if any of the following is > true: > > * The value for the Path attribute is not a prefix of the request-URI. > > </quote> > > Please correct me if I am wrong but the first point implies that a CGI > at the url "/Canada/whatever.asp" may only set cookies with path > starting with "/Canada/". Am I misreading the RFC? > > Evil Comrade Oleg (a.k.a cookie ayatollah) > > > On Thu, Feb 17, 2005 at 10:17:47AM +0100, Roland Weber wrote: > > Hi Oleg, > > > > > A cookie with "/" path attribute may not be > > > set from a URL other than "/". > > > > my understanding is that a cookie with path "/" may be set from any URL > > with > > path prefix "/". RFC 2109 mentions the prefix requirement in section > 4.3.2 > > on page 6. So does RFC 2965 in section 3.3.2 on page 8. Unlike with > domain > > names, there is no "reach" restriction that would prevent a servlet at > > /where/ever/it/may/reside to set a cookie for / on that host, which > would > > be the same as setting a cookie without any path at all. > > > > cheers, > > Roland > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
