Questionable cookie behavior from Alec H. Peterson on 2003-05-07 (www-lib@w3.org from April to June 2003)

From: Alec H. Peterson <ahp@hilander.com>
Date: Wed, 07 May 2003 10:21:18 -0600
To: www-lib@w3.org
Message-ID: <1676225677.1052302878@macleod.hilander.com>

I have found a couple of things with respect to the cookie behavior within 
libwww that I find questionable and have fixed.  I'm not intimately 
familiar with RFC2616, so I do not know if these are protocol violations or 
not.  Anyway:

1) Cookie deletions (ie, blank cookies).  The HTCookie_parseSetCookie() 
routine does not deal with a null cookie value, and thus screws up the rest 
of the parsing.  I fixed this by checking if value[0] is ';', and if so 
setting the cookie value to "" and incrementing the value pointer.
2) Cookies in HTTP_EQUIV REFRESH redirects.  Since these redirects happen 
in the HTML code, they need to be dealt with in the application. 
Unfortunately, the setCookie() callback is called only at the end of the 
entire HTTP session (ie, when all downloads are completed).  The way my 
application handles these refreshes is not the way that libwww handles HTTP 
redirects, mainly because I was not able to figure out how to extract all 
of the objects I needed to pass to the function.  So, in lieu of that I 
modified the parseSetCookie routine to call the application's setCookie() 
callback there instead having it happen at the end of the session.  This is 
almost certainly not the right way to do it, though it's all I could come 
up with.
3) Cookies in HTTP redirects.  When the findCookie() callback is called and 
cookies are found for a new URL that is found because of an HTTP redirect, 
a new Cookie header is added.  This results in the new cookies plus the old 
cookies from the previous URL to be sent (ie, the ones that were sent to 
the URL that generated the redirect) regardless of the domain.  I added two 
header routines:  HTRequest_replaceExtraHeader() and 
HTRequest_deleteExtraHeader() to HTReqMan.c and called them appropriately 
in HTCookie_beforeFilter().

I'd love to hear thoughts on these issues, especially the one related to 
the HTTP_EQUIV redirects, since I would love to be able to use the libwww 
redirect filter for this.

Alec

--
Alec H. Peterson -- ahp@hilander.com
Chief Technology Officer
Catbird Networks, http://www.catbird.com

Received on Wednesday, 7 May 2003 12:21:21 UTC