Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cookie RFC not followed?

Posted on 2004-04-30
3
Medium Priority
?
267 Views
Last Modified: 2012-08-13
Hi all,

I am using Cookies in JSP/Servlets and the following doubt came to my mind.

In the Cookie RFC 2109 in section 4.3.2 it says,

A Set-Kookie from request-host y.x.foo.com for Domain=.foo.com
would be rejected, because H is y.x and contains a dot.

But when I test it myself on my server it doesn't follow this constraint. I have x.y.myserver.com domain and servlet written there. I set kookie with domain = .myserver.com and it works. It allows setting me that kookie.

Anybody knows why this happens? Doesn't browsers follow the RFC? OR was there some addendum or part that I missed for that RFC which describes this anomaly.

Regards
Maulin
0
Comment
Question by:Maulin_Vasavada
1 Comment
 
LVL 3

Accepted Solution

by:
mjzalewski earned 500 total points
ID: 10992232
I'm pretty sure that it works when you go back to the same host (in other words, because the cookie was a response from x.y.myserver.com, it gets included in future requests to x.y.myserver.com). In other words, I think section 4.3.4 often overrides section 4.3.2 (at least as implemented in most browsers).

Bu I'm pretty sure that the cookie will not be included to other hosts like z.y.myserver.com.

BTW, you didn't say which browser version you were working with. Cookies would only be rejected (actually ignored) by the browser client. When a server sends a response, there is no way for the client to tell the server that the cookie has been rejected. Rejecting a cookie only means that the browser ignores it. For a cookie with $Domain=.myserver.com, I suppose it might be implemented as 'Don't send to other URIs even if the host part ends in .myserver.com, because 4.3.2 was violated. However, do send back to x.y.myserver.com, because that was the host which set the cookie.'

And also, I don't think any browser is compliant with all the RFC (and other) specs.

And finally, are you using Version="1"? I think if you don't use that cookie header, a client may interpret the cookie to be version 0, a looser standard produced by Netscape.

0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For beginner Java programmers or at least those new to the Eclipse IDE, the following tutorial will show some (four) ways in which you can import your Java projects to your Eclipse workbench. Introduction While learning Java can be done with…
Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
Viewers learn about the third conditional statement “else if” and use it in an example program. Then additional information about conditional statements is provided, covering the topic thoroughly. Viewers learn about the third conditional statement …
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
Suggested Courses
Course of the Month15 days, 21 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question