|
Kevin Wang
kwang at activegrid.com
Mon Mar 20 19:17:59 EST 2006
Deron Meranda wrote: > On 3/20/06, Kevin Wang <kwang at activegrid.com> wrote: > >>Looks like mod_python never sets the domain name in "Set-Cookie" header, but >>both firefox and IE browsers are smart enough to assume that the cookie >>belongs to the host requested. > > > Actually that's what the standards demand that the browsers do, it's > not just a coincidence. > > Set-Cookie is actually somewhat dated and is documented in > RFC 2109 - http://www.ietf.org/rfc/rfc2109.txt > Set-Cookie2 is the current standard as documented in > RFC 2965 - http://www.ietf.org/rfc/rfc2965.txt thanks for pointing this out; it makes sense. > > However Set-Cookie2, while techinically superior, is not as widely > understood by browsers. So mod_python sticks with Set-Cookie. > > >>However, in the case of request coming from an IE frame, it no longer works! >> I have no idea why it doesn't work in an IE frame. > > > Hmm. Are you using cross-domain frames or anything complicated? yes, i do use cross domain frames. even after i manually add the cookie domain option in Session.py, it still doesn't work out. eventually i found this article which talks about ie's lovely P3P restriction: http://support.microsoft.com/default.aspx?scid=kb;en-us;323752 by either setting ie's security/p3p to be low, or by manually sending a specific response header: P3P: CP="CAO PSA OUR", it works! > > >>To me, the right solution should be that mod_python always sets the domain >>name if one is passed in. > > > You of course can always dive into lower-level code. For instance > mod_python's Cookie module does let you get at the domain > attribute, which you can set however you like. (Not to mention > Python's own Cookie/Morsel classes) > -- > Deron Meranda > >
|