[Catalyst-dev] Patch for C::P::Session::State::Cookie

Wade.Stuart at fallon.com Wade.Stuart at fallon.com
Thu Aug 3 19:40:14 CEST 2006 





catalyst-dev-bounces at lists.rawmode.org wrote on 08/03/2006 12:30:38 PM:

>
>
>
>
>
>
> catalyst-dev-bounces at lists.rawmode.org wrote on 08/03/2006 12:12:49 PM:
>
> > I roughly know how cookie works.
> > I had situation that lynx would croak when I baked a cookie with
> > path attribution '/abc' under a request of path '/'.
> > But I haven't confirmed it again.
>
> It should just set security scope for the cookie at a more specific level
> then hostname, left unset path is assumed to match at /.  It is in the
RFC
> (http://www.w3.org/Protocols/rfc2109/rfc2109) and I have yet to find a
> browser that supports cookies at all that does not fully support path. If
> it broke lynx it was a bug and should have been fixed -- in your example
> lynx should have noticed that / was not in the scope of host/abc and sent
> the request with no cookie.
>

Sorry to respond to myself,  but I just reread your message and I may have
misunderstood.  If you mean that you set the cookies path attr to /abc
from a request to /,  that is disallowed from the rfc.

4.3.2  Rejecting Cookies

   To prevent possible security or privacy violations, a user agent
   rejects a cookie (shall not store its information) if any of the
   following is true:

   * The value for the Path attribute is not a prefix of the request-
     URI.


a cookie path of '/abc' can be set from a request to /abc/ or any url under
that prefix, but not '/' or '/xyz' ...




>
>
> > 2006/8/3, Brandon Black <blblack at gmail.com>:
> >
> > The point isn't to limit when/if we bake the cookie.  The "path"
> > attribute of a cookie tells the browser what paths to send it back
> > to us for.  So if you have a cookie called "session_id", and your app
is
> at
> > http://myhost/catapp, and there's another application hosted at
> > http://myhost/otherapp which also has a "session_id" cookie, you'll
> > definitely need this to avoid them stepping on each other.  If the
> > root of the domain ( http://myhost/) and everything beneath it is
> > all served just by your Catalyst app, then I guess one wouldn't
careabout
> it.
> >
> > -- Brandon
> >
> >
> > _______________________________________________
> > Catalyst-dev mailing list
> > Catalyst-dev at lists.rawmode.org
> > http://lists.rawmode.org/mailman/listinfo/catalyst-dev
> > _______________________________________________
> > Catalyst-dev mailing list
> > Catalyst-dev at lists.rawmode.org
> > http://lists.rawmode.org/mailman/listinfo/catalyst-dev
>
>
> _______________________________________________
> Catalyst-dev mailing list
> Catalyst-dev at lists.rawmode.org
> http://lists.rawmode.org/mailman/listinfo/catalyst-dev

More information about the Catalyst-dev mailing list