[drakma-devel] drakma:get-cookies fails to parse cookies with commas in values
Edi Weitz
edi at agharta.de
Wed Sep 30 14:41:06 UTC 2009
On Wed, Sep 30, 2009 at 11:09 AM, Edi Weitz <edi at agharta.de> wrote:
> I was going to write that IIS sends a wrong header according to the
> RFCs, but after re-reading them I now think that one might interpret
> them in a different way and that Drakma's general handling of commas
> has to be reworked to accommodate this interpretation.
No. In the meantime, I think this cookie really looks fishy.
In RFC 2109 (for "Set-Cookie") the syntax is defined as "1#cookie"
which according to the HTTP specification this RFC refers to means a
comma-separated list of values, i.e. if a comma is not quoted, it
separates one Set-Cookie header from the next one. I understand that
this is kind of sloppy already because lots of servers use a syntax
were the date in "expires" uses a comma in the wrong place and Drakma
caters to that. The question is how to deal with commas in general.
Consider this example:
Set-Cookie: domain=test.com; expires=Thu, 12-Sep-2109 14:58:04 GMT;
session=foo,bar=baz
If sent by IIS this probably means (?) that the cookie "domain" has an
attribute "session" with the value "foo,bar=baz", right?
But it could also mean (see RFC) that the value of "session" is "foo"
and that there's a second cookie "bar" with the value "baz". In fact,
if Drakma reads two header lines like so
Set-Cookie: domain=test.com; expires=Thu, 12-Sep-2109 14:58:04 GMT;
session=foo
Set-Cookie: bar=baz
it will actually join them with a comma before parsing them (in
accordance with the HTTP RFC).
So, we could probably provide some special variable to make cookie
parsing less restrictive, but I wonder what the exact semantics of
this should be.
Any suggestions?
Thanks,
Edi.
More information about the Drakma-devel
mailing list