I have to disagree with the default as well.. as that can be dangerous to someone who simply forgot to supply the path.. this could cause security issues with where the cookie can be read.. the way is currently works if you forgot to provide the path a you will find out quickly that something is not working in the same manor that you did and can fix it.
-----Original Message----- From: John Baker [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 8:33 AM To: Tomcat Developers List Subject: Re: That Cookie thing On Monday 01 July 2002 13:29, Tim Funk wrote: > http://wp.netscape.com/newsref/std/cookie_spec.html > OR > http://www.ietf.org/rfc/rfc2109.txt > OR > http://www.ietf.org/rfc/rfc2965.txt > > PATH=path > Optional. The Path attribute specifies the subset of URLs to which this > cookie applies. But as IE/Moz/Konqueror (anyone else fancy trying some others?) ignore this, would it be more useful to provide a default in some way so it isn't ignored? The chances of getting all those three to stick to the spec are low ;-) Or even a warning in the logs that your code is not likely to work? Of course, normally I'd say "follow the spec", but sadly if your target audience doesn't, there isn't really much you can do. > > John Baker wrote: > > On Monday 01 July 2002 13:16, peter lin wrote: > >>that's the problem with assumptions :) > >> > >>Actually I believe the W3C spec says the path will default to directory > >>the pages resides in. So that page /hello/greeting.jsp will have > >>"/hello" as the path. Only files under "/hello" can read the cookie. > >>Atleast that's my understanding of how cookie path is supposed to be > >>set. Some one correct me if I am wrong. > > > > Well a reliable source tells me that there is no w3c spec for Cookies, > > and infact the concept was conjured by Netscape. There is an RFC spec for > > Cookies, but it's largely ignored. > > > > So as the useful browsers out there ignore Cookie requests without a > > path, it might be handy to add it by default so other people don't spend > > an hour or two sitting there thinking "Why doesn't this work?". The > > current context path would be handy, so the response code could look like > > this: > > > > public void addCookie(Cookie c) > > { > > // whatever > > if (c.getPath() == null) > > c.setPath(getContextPath()); > > // etc > > } > > > > Just a thought :) > > > >>peter > >> > >>John Baker wrote: > >>>On Monday 01 July 2002 12:59, peter lin wrote: > >>>>if you want the cookies to be readable by all pages, you should set it > >>>>to "/". That's standard practice. Also, if you have multiple webserver > >>>>with names like www1, www2, www3....., you should also set the cookie > >>>>to use yourbiz.com. > >>> > >>>I know this ;-) But I'd forgotten to put the / there, and assumed the > >>>browser would assume this if no / was passed to it. However they don't, > >>>so I was suggesting that if a Cookie has no path set then one should be > >>>written by default as a totally useless header is currently written in > >>>the form: > >>> > >>>Set-Cookie: someName=someValue; expires.... > >>> > >>>and due to the lack of a path, every browser ignores it. -- John Baker, BSc CS. Java Developer, TEAM/Slb. http://www.teamenergy.com Views expressed in this mail are my own. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
