Re: Merging of Multiple Cookie Headers

2016-06-29 Thread Rainer Canavan
On Wed, Jun 29, 2016 at 2:02 AM, Joseph Schaefer wrote: > Php's cookie parser can be more lax in treating ", " similar to "; ", that > would be a better avenue of redress. Otherwise they can adopt libapreq2's > cookie parsing code which has much richer support for

Re: Merging of Multiple Cookie Headers

2016-06-28 Thread Joseph Schaefer
Php's cookie parser can be more lax in treating ", " similar to "; ", that would be a better avenue of redress. Otherwise they can adopt libapreq2's cookie parsing code which has much richer support for merging cookie headers written to different cookie specs. Sent from my iPhone > On Jun

Re: Merging of Multiple Cookie Headers

2016-06-28 Thread Joseph Schaefer
Anyways I agree with Bill that this isn't httpd's problem to fix. The cookie standards are abysmal which is why some level of strictness is required as regards the defacto httpd behavior to prevent all hell from breaking loose. Sent from my iPhone > On Jun 28, 2016, at 7:51 PM, Joseph

Re: Merging of Multiple Cookie Headers

2016-06-28 Thread Joseph Schaefer
Or use ssl so proxies can't monkey with the request headers. Sent from my iPhone > On Jun 28, 2016, at 7:48 PM, Joseph Schaefer wrote: > > Sales pitch: use libapreq2, which gracefully handles merged cookie headers > anyway. > > Sent from my iPhone > >> On Jun 28,

Re: Merging of Multiple Cookie Headers

2016-06-28 Thread Joseph Schaefer
Sales pitch: use libapreq2, which gracefully handles merged cookie headers anyway. Sent from my iPhone > On Jun 28, 2016, at 6:39 PM, Joseph Schaefer wrote: > > The industry standard behavior regarding cookies is for user agents to send > at most a single cookie

Re: Merging of Multiple Cookie Headers

2016-06-28 Thread Joseph Schaefer
The industry standard behavior regarding cookies is for user agents to send at most a single cookie header, and for servers to avoid merging set-cookie headers. The set-cookie2 header is merge able. Sent from my iPhone > On Jun 28, 2016, at 6:14 PM, Rainer Canavan

Re: Merging of Multiple Cookie Headers

2016-06-28 Thread Rainer Canavan
On Tue, Jun 28, 2016 at 10:13 PM, William A Rowe Jr wrote: > On Tue, Jun 28, 2016 at 2:29 PM, Rainer Canavan > wrote: >> It's not just the Cookie that's logged via %{}C that gets nonsense >> appended, but the cookie parser of e.g. PHP behaves the

Re: Merging of Multiple Cookie Headers

2016-06-28 Thread William A Rowe Jr
On Tue, Jun 28, 2016 at 2:29 PM, Rainer Canavan wrote: > > It's not just the Cookie that's logged via %{}C that gets nonsense > appended, but the cookie parser of e.g. PHP behaves the same. I think > httpd could handle this better by not merging the headers or

Re: Merging of Multiple Cookie Headers

2016-06-28 Thread Rainer Canavan
On Tue, Jun 28, 2016 at 6:09 PM, Graham Leggett wrote: > On 28 Jun 2016, at 4:29 PM, Rainer Canavan > wrote: > >> We've observed multiple gateways, operated by e.g. AT, COLT and >> Vodafone, that inject additional Cookie: headers into client