Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
comp.infosystems.www.misc
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
cookie question: domain=host:port; ?
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   3 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Eli the Bearded  
View profile  
 More options Jan 24 2012, 1:53 am
Newsgroups: comp.infosystems.www.misc
From: Eli the Bearded <*...@eli.users.panix.com>
Date: Tue, 24 Jan 2012 06:53:34 +0000 (UTC)
Local: Tues, Jan 24 2012 1:53 am
Subject: cookie question: domain=host:port; ?
Print | Individual message | Show original | Report this message | Find messages by this author
I know from testing that trying to set a cookie with the domain
set to match the name and port of the server is not accepted by
Firefox. I'm curious if this is an oversight on their part or
a real limitation of cookies.

What I have is a single server with dev and live versions of a
site running on different ports. I'd really like to have my
session cookies stay with the appropriate version of the site,
instead of each considering the other's invalid asking for a
relogin.

I've read the BNF in RFC6265 section 4.1, and it refers to
domains:

 domain-av         = "Domain=" domain-value
 domain-value      = <subdomain>
                       ; defined in [RFC1034], Section 3.5, as
                       ; enhanced by [RFC1123], Section 2.1

Trouble is RFC1034 and RFC1123 are (1) ancient (no IPv6 support
in *those*) and (2) not the same definition of a host name used
by HTTP.

RFC1034 disallows domains that start with a number, while enhancement
of RFC1123 fixes that. But you've got a domain with labels from [a-z0-9-]
or a dotted quad. This matches the definition of <host> in RFC1738,
but that has been obsoleted by RFC3986, which does allow a IPv6address.

So clearly RFC6265 is broken with respect to bare IPv6 addresses, and
while the intent seems to be that :port was never supposed to be there,
it sure seems wrong to me to allow it in a URL, but not a cookie.

Comments?

Elijah
------
not expecting many


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Eli the Bearded  
View profile  
 More options Jan 24 2012, 3:35 pm
Newsgroups: comp.infosystems.www.misc
From: Eli the Bearded <*...@eli.users.panix.com>
Date: Tue, 24 Jan 2012 20:35:30 +0000 (UTC)
Local: Tues, Jan 24 2012 3:35 pm
Subject: Re: cookie question: domain=host:port; ?
Print | Individual message | Show original | Report this message | Find messages by this author
In comp.infosystems.www.misc, Eli the Bearded  <*...@eli.users.panix.com> wrote:

> So clearly RFC6265 is broken with respect to bare IPv6 addresses, and
> while the intent seems to be that :port was never supposed to be there,
> it sure seems wrong to me to allow it in a URL, but not a cookie.

> Comments?

For the record, I wrote to Adam Barth, author of RFC6265, with this
question and got this reply:

| If we were designing cookies today, we'd definitely make it per-port.
| However, cookies are widely used on the Internet today and making this
| sort of change would break too many sites.  For the most part, cookies
| are "done" in the sense that I wouldn't expect them to change much.
| Unfortunately, that means we stuck with cookies not respecting port
| number.

Elijah
------
damn ill-thought-out web "standards"


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Ivan Shmakov  
View profile  
 More options Jan 25 2012, 12:48 am
Newsgroups: comp.infosystems.www.misc
From: Ivan Shmakov <oneing...@gmail.com>
Date: Wed, 25 Jan 2012 12:48:58 +0700
Local: Wed, Jan 25 2012 12:48 am
Subject: Re: cookie question: domain=host:port; ?
Print | Individual message | Show original | Report this message | Find messages by this author

>>>>> Eli the Bearded <*...@eli.users.panix.com> writes:

[...]

 > What I have is a single server with dev and live versions of a site
 > running on different ports.  I'd really like to have my session
 > cookies stay with the appropriate version of the site, instead of
 > each considering the other's invalid asking for a relogin.

        Is there a reason not to use different DNS names, in addition
        to, or instead of, different port numbers?

        Assuming that the server already has a DNS name, it's rather
        trivial to create an appropriate CNAME DNS RR with, say,
        http://freedns.afraid.org/.  And if it has none, it could be
        assigned there just as well.

[...]

--
FSF associate member #7257


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google