On 12/20/01 1:46 PM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:
> Hi Gisle, > > while using HTTP::Cookies, I realized that it behaves differently than most > browsers do: If a cookie is being written to a "domain" which is actually a > hostname like in > > Set-cookie: name=val; path=/; domain=www.aol.com > > all major browsers will accept this pseudo domain and replay the cookie to > the hostname (like on http://www.aol.com). HTTP::Cookie, however, will store > the cookie's domain as ".www.aol.com" and therefore *won't* replay it on > http://www.aol.com. > Not sure if this is possibly even somewhat against the original cookie spec > -- but if you want HTTP::Cookie to be compliant with the major browsers, I > think line 340 in HTTP::Cookies.pm > > $domain = ".$domain" unless $domain =~ /^\./; > > has to be deleted. What do you think? This might also require other changes in the code if there are other assumptions (e.g., that you might always be able to do things like: $hostname =~ /$cookie_domain$/ To determine if the host was within the cookie's domain, since you'd always know there was a leading "." and that would keep you from having hosts like "wwwaol.com" getting the "aol.com" cookie, since it would have been stored as ".aol.com". You're right that this is a good change, but we'd have to make sure all the other assumptions, if any exist, are fixed, so no big security flaws get opened up in the process. :) -- +---------------------+-----------------------------------------+ | [EMAIL PROTECTED] | "You need only reflect that one of the | | Derek J. Balling | best ways to get yourself a reputation | +---------------------+ as a dangerous citizen these days is | | to go about repeating the very phrases which our founding | | fathers used in the struggle for independence." - C.A. Beard | +---------------------------------------------------------------+
