Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cookie RFC not followed?

Posted on 2004-04-30
3
Medium Priority
?
251 Views
Last Modified: 2012-08-13
Hi all,

I am using Cookies in JSP/Servlets and the following doubt came to my mind.

In the Cookie RFC 2109 in section 4.3.2 it says,

A Set-Kookie from request-host y.x.foo.com for Domain=.foo.com
would be rejected, because H is y.x and contains a dot.

But when I test it myself on my server it doesn't follow this constraint. I have x.y.myserver.com domain and servlet written there. I set kookie with domain = .myserver.com and it works. It allows setting me that kookie.

Anybody knows why this happens? Doesn't browsers follow the RFC? OR was there some addendum or part that I missed for that RFC which describes this anomaly.

Regards
Maulin
0
Comment
Question by:Maulin_Vasavada
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Accepted Solution

by:
mjzalewski earned 500 total points
ID: 10992232
I'm pretty sure that it works when you go back to the same host (in other words, because the cookie was a response from x.y.myserver.com, it gets included in future requests to x.y.myserver.com). In other words, I think section 4.3.4 often overrides section 4.3.2 (at least as implemented in most browsers).

Bu I'm pretty sure that the cookie will not be included to other hosts like z.y.myserver.com.

BTW, you didn't say which browser version you were working with. Cookies would only be rejected (actually ignored) by the browser client. When a server sends a response, there is no way for the client to tell the server that the cookie has been rejected. Rejecting a cookie only means that the browser ignores it. For a cookie with $Domain=.myserver.com, I suppose it might be implemented as 'Don't send to other URIs even if the host part ends in .myserver.com, because 4.3.2 was violated. However, do send back to x.y.myserver.com, because that was the host which set the cookie.'

And also, I don't think any browser is compliant with all the RFC (and other) specs.

And finally, are you using Version="1"? I think if you don't use that cookie header, a client may interpret the cookie to be version 0, a looser standard produced by Netscape.

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After being asked a question last year, I went into one of my moods where I did some research and code just for the fun and learning of it all.  Subsequently, from this journey, I put together this article on "Range Searching Using Visual Basic.NET …
Java contains several comparison operators (e.g., <, <=, >, >=, ==, !=) that allow you to compare primitive values. However, these operators cannot be used to compare the contents of objects. Interface Comparable is used to allow objects of a cl…
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question