On Wed, 14 Oct 2009, Daniel Stenberg wrote:

> Based on feedback I got on the http-state mailing list from a Firefox
> developer on this topic, we should probably consider making _all_ failures
> to parse the expire date as a reason to switch it to a session cookie and
> not just on blank dates, as that seems to be what Firefox does. (Still to
> be found out how others deal with such cookies)

As discussed, I tested several browsers with these cookies:

1. EmptyDate cookie: "Expires="
2. BadDate cookie: "Expires=sometime"
3. ExtraCharsAfterDate: "Expires=Sun, 25-Oct-2009 20:15:56 GMT extra symbols"

The following three browsers behave in the same way, they treat EmptyDate
and BadDate as session cookies, but recognise the expiry date on the third
cookie:

        MSIE 8.0 on Win XP SP3
        Firefox 3.5.3 on Win XP SP3
        Epiphany (WebKit) 2.28.0 on Ubuntu 9.10

The only exception was Konqueror/4.3 (KHTML/4.3.2), it treats all three as
session cookies.

Considering the above, I agree with Daniel, I think that any failure to parse
the cookie date in CURL should make it a session cookie. The patch against the
CVS HEAD is enclosed.

Regards,
Dima.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html