[mod_python] Re: Cookie patch

Nicolas Lehuen nicolas.lehuen at gmail.com
Fri Jan 14 02:03:56 EST 2005 

On Thu, 13 Jan 2005 15:56:56 -0500, Joe Schaefer
<joe+gmane at sunstarsys.com> wrote:
> Nicolas Lehuen <nicolas.lehuen at gmail.com>
> writes:
> 
> [...]
> 
> > Cookie: test1=2;$Path=/;$Version=1;test2=3;$Path=/foo;$Version=2
> > ==> two Cookies :
> >  - one with key=='test1', value=='2', version=='1' and path=='/'
> >  - one with key=='test2', value=='3', version=='2' and path=='/foo'
> 
> Apologies for delurking ourside my normal domain, but the above
> test doesn't make much sense to me.  AIUI, $Version is supposed to
> describe the protocol (headers), not the individual cookies.
> Here's the 2109 BNF:
> 
>    cookie          =       "Cookie:" cookie-version
>                            1*((";" | ",") cookie-value)

Yeah, the test doesn't makes sense, it was just to check the algorithm
and the fact that you could define multiple attributes for the same
cookie. I should have used $domain instead :

Cookie: test1=2;$Path=/;$Domain=foo.com;test2=3;$Path=/foo;$Domain=bar.foo.com
==> two Cookies :
 - one with key=='test1', value=='2', domain=='foo.com' and path=='/'
 - one with key=='test2', value=='3', domain=='bar.foo.com' and path=='/foo'

You've got a point here : both the new and old _parse_cookie function
do not follow the BNF definition :

   cookie          =       "Cookie:" cookie-version
                           1*((";" | ",") cookie-value)
   cookie-value    =       NAME "=" VALUE [";" path] [";" domain]
   cookie-version  =       "$Version" "=" value
   NAME            =       attr
   VALUE           =       value
   path            =       "$Path" "=" value
   domain          =       "$Domain" "=" value

Looking from this definition,  only $Path and $Domain attributes are
allowed. mod_python accepts more attributes. The question is, should
we be liberal in what we accept (and strict  in what we produce, of
course) ? I think so.

> There's no universally-accepted way to mix Netscape cookies
> with the RFC-based ($Version=1) cookies within the same HTTP
> request.  At some point the IETF tried to produce an errata
> document to address this, but IIRC failed to achieve consensus
> on a resolution.

That's another reason to be as liberal as we can without breaking anything.

Regards,
Nicolas

More information about the Mod_python mailing list