[mod_python] the domain name in mod_python's session/cookie management

Kevin Wang kwang at activegrid.com
Mon Mar 20 19:17:59 EST 2006


Deron Meranda wrote:
> On 3/20/06, Kevin Wang <kwang at activegrid.com> wrote:
> 
>>Looks like mod_python never sets the domain name in "Set-Cookie" header, but
>>both firefox and IE browsers are smart enough to assume that the cookie
>>belongs to the host requested.
> 
> 
> Actually that's what the standards demand that the browsers do, it's
> not just a coincidence.
> 
> Set-Cookie is actually somewhat dated and is documented in
> RFC 2109 - http://www.ietf.org/rfc/rfc2109.txt
> Set-Cookie2 is the current standard as documented in
> RFC 2965 - http://www.ietf.org/rfc/rfc2965.txt

thanks for pointing this out; it makes sense.

> 
> However Set-Cookie2, while techinically superior, is not as widely
> understood by browsers.  So mod_python sticks with Set-Cookie.
> 
> 
>>However, in the case of request coming from an IE frame, it no longer works!
>>  I have no idea why it doesn't work in an IE frame.
> 
> 
> Hmm. Are you using cross-domain frames or anything complicated?

yes, i do use cross domain frames.  even after i manually add the cookie 
domain option in Session.py, it still doesn't work out.  eventually i found 
this article which talks about ie's lovely P3P restriction:

http://support.microsoft.com/default.aspx?scid=kb;en-us;323752

by either setting ie's security/p3p to be low, or by manually sending a 
specific response header: P3P: CP="CAO PSA OUR", it works!

> 
> 
>>To me, the right solution should be that mod_python always sets the domain
>>name if one is passed in.
> 
> 
> You of course can always dive into lower-level code.  For instance
> mod_python's Cookie module does let you get at the domain
> attribute, which you can set however you like.  (Not to mention
> Python's own Cookie/Morsel classes)
> --
> Deron Meranda
> 
> 


More information about the Mod_python mailing list