Re: Accomodating Netscape-style cookies?
Gisle Aas (gisle@aas.no)
04 Mar 1998 11:33:42 +0100
Kartik Subbarao <subbarao@computer.org> writes:
> I'm trying to use HTTP::Cookies to talk to a web application that
> follows the "looser" Netscape-style Cookie definition
>
> http://www.netscape.com/newsref/std/cookie_spec.html
>
> as opposed to the more "strict" definition specified in RFC 2109.
>
> Specifically, this application generates cookies with the pattern of
> domain=foo.bar.com from the host foo.bar.com. It also generates
> cookies with domain=.bar.com from baz.foo.bar.com. Both of these are
> verboten according to RFC 2109, but Netscape works fine with them.
Is domain=foo.bar.com supposed to mean that cookies should only be
returned to host foo.bar.com or that both foo.bar.com and for instance
xxx.foo.bar.com should get it? What does Netscape do (probably it
just tries to match the domain name at the end of the hostname as it
is ans will send cookies to both xxx.foo.bar.com and foo.bar.com)?
> I can't change the web application. What I've been doing so far is
> manually munging the host field in the URL, baz.foo.bar.com, to
> baz-foo.bar.com, before calling extract_cookies(). I haven't found
> a satisfactory way to deal with domain=foo.bar.com, since
> extract_cookies automatically prepends a '.', and then it no longer
> matches the hostname.
You could munge it into becoming two cookie headers perhaps. One
without a domain attribute and one with domain=.foo.bar.com.
> One thing I was thinking of doing was adding some pacifying logic
> to extract_cookies, wrapped around if ($netscape_cookie). For example,
> not automatically prepending '.' to the domain name, and allowing
> baz.foo.bar.com to set a cookie for .bar.com.
This sounds acceptable to me.
> I suspect that Gisle and others have probably wrestled with this issue
> before. Any suggestions? Do people think a patch that accomodated
> Netscape-style cookie specification would make sense?
I think so.
--
Gisle Aas