cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Bugs with cookies

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 28 Feb 2002 08:32:23 +0100 (MET)

On Wed, 27 Feb 2002, SM wrote:

> >I think we might have a cookie recording problem here. If we first receive a
> >cookie named NAME for domain 'loonie.domain.boo' and then later receive
> >another cookie line with NAME for domain 'domain.boo' (cutting off parts of
> >the previous domain) this second cookie will be stored as a different one due
> >to the different domain property. But I figure they should actually be
> >treated as the same. (Cookies are a tricky business due to the lack of
> >standards, or rather due to the lack of sites following the actual
> >standards.)
>
> Interesting question. :) 'loonie.domain.boo' can be considered as a cookie
> for a specified host whereas 'domain.boo' applies to the whole domain. If
> we have cookies for each of those, we should use the cookie that matches
> the host.

Actually, today we wpild use both cookies when talking to
"loonie.domain.boo". But as they have the same name, it probably confuses the
receiver severly and might not be what it expects.

If they're using the same name, we should probably use the one that has the
longest domain match string...

> I have seen some servers that send an incorrect entry for the domain part.
> the domain part _should_ be '.domain.boo' or '.domain.boo.se' if it is a
> ccTLD.

Yes, there are a few restrictions on the domain property. libcurl doesn't
care about them right now though.

> The question is what to do with cookies such as 'domain.boo'. Given that
> the do not follow the specifications, should cURL reject them?

Currently it doesn't. Actually, currently curl also records cookies with a
domain set to a different domain than the server uses, which also isn't
allowed according to the specs.

-- 
    Daniel Stenberg -- curl groks URLs -- http://curl.haxx.se/
Received on 2002-02-28