On Wed, Jun 29, 2016 at 2:02 AM, Joseph Schaefer wrote:
> Php's cookie parser can be more lax in treating ", " similar to "; ", that
> would be a better avenue of redress. Otherwise they can adopt libapreq2's
> cookie parsing code which has much richer support for
Php's cookie parser can be more lax in treating ", " similar to "; ", that
would be a better avenue of redress. Otherwise they can adopt libapreq2's
cookie parsing code which has much richer support for merging cookie headers
written to different cookie specs.
Sent from my iPhone
> On Jun
Anyways I agree with Bill that this isn't httpd's problem to fix. The cookie
standards are abysmal which is why some level of strictness is required as
regards the defacto httpd behavior to prevent all hell from breaking loose.
Sent from my iPhone
> On Jun 28, 2016, at 7:51 PM, Joseph
Or use ssl so proxies can't monkey with the request headers.
Sent from my iPhone
> On Jun 28, 2016, at 7:48 PM, Joseph Schaefer wrote:
>
> Sales pitch: use libapreq2, which gracefully handles merged cookie headers
> anyway.
>
> Sent from my iPhone
>
>> On Jun 28,
Sales pitch: use libapreq2, which gracefully handles merged cookie headers
anyway.
Sent from my iPhone
> On Jun 28, 2016, at 6:39 PM, Joseph Schaefer wrote:
>
> The industry standard behavior regarding cookies is for user agents to send
> at most a single cookie
The industry standard behavior regarding cookies is for user agents to send at
most a single cookie header, and for servers to avoid merging set-cookie
headers. The set-cookie2 header is merge able.
Sent from my iPhone
> On Jun 28, 2016, at 6:14 PM, Rainer Canavan
On Tue, Jun 28, 2016 at 10:13 PM, William A Rowe Jr wrote:
> On Tue, Jun 28, 2016 at 2:29 PM, Rainer Canavan
> wrote:
>> It's not just the Cookie that's logged via %{}C that gets nonsense
>> appended, but the cookie parser of e.g. PHP behaves the
On Tue, Jun 28, 2016 at 2:29 PM, Rainer Canavan wrote:
>
> It's not just the Cookie that's logged via %{}C that gets nonsense
> appended, but the cookie parser of e.g. PHP behaves the same. I think
> httpd could handle this better by not merging the headers or
On Tue, Jun 28, 2016 at 6:09 PM, Graham Leggett wrote:
> On 28 Jun 2016, at 4:29 PM, Rainer Canavan
> wrote:
>
>> We've observed multiple gateways, operated by e.g. AT, COLT and
>> Vodafone, that inject additional Cookie: headers into client