Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
cookie question: domain=host:port; ?
1,118 views
Skip to first unread message
Eli the Bearded
Jan 24, 2012, 1:53:34 AM1/24/12
to
I know from testing that trying to set a cookie with the domain
set to match the name and port of the server is not accepted by
Firefox. I'm curious if this is an oversight on their part or
a real limitation of cookies.
What I have is a single server with dev and live versions of a
site running on different ports. I'd really like to have my
session cookies stay with the appropriate version of the site,
instead of each considering the other's invalid asking for a
relogin.
I've read the BNF in RFC6265 section 4.1, and it refers to
domains:
domain-av = "Domain=" domain-value
domain-value = <subdomain>
; defined in [RFC1034], Section 3.5, as
; enhanced by [RFC1123], Section 2.1
Trouble is RFC1034 and RFC1123 are (1) ancient (no IPv6 support
in *those*) and (2) not the same definition of a host name used
by HTTP.
RFC1034 disallows domains that start with a number, while enhancement
of RFC1123 fixes that. But you've got a domain with labels from [a-z0-9-]
or a dotted quad. This matches the definition of <host> in RFC1738,
but that has been obsoleted by RFC3986, which does allow a IPv6address.
So clearly RFC6265 is broken with respect to bare IPv6 addresses, and
while the intent seems to be that :port was never supposed to be there,
it sure seems wrong to me to allow it in a URL, but not a cookie.
Comments?
Elijah
------
not expecting many
set to match the name and port of the server is not accepted by
Firefox. I'm curious if this is an oversight on their part or
a real limitation of cookies.
What I have is a single server with dev and live versions of a
site running on different ports. I'd really like to have my
session cookies stay with the appropriate version of the site,
instead of each considering the other's invalid asking for a
relogin.
I've read the BNF in RFC6265 section 4.1, and it refers to
domains:
domain-av = "Domain=" domain-value
domain-value = <subdomain>
; defined in [RFC1034], Section 3.5, as
; enhanced by [RFC1123], Section 2.1
Trouble is RFC1034 and RFC1123 are (1) ancient (no IPv6 support
in *those*) and (2) not the same definition of a host name used
by HTTP.
RFC1034 disallows domains that start with a number, while enhancement
of RFC1123 fixes that. But you've got a domain with labels from [a-z0-9-]
or a dotted quad. This matches the definition of <host> in RFC1738,
but that has been obsoleted by RFC3986, which does allow a IPv6address.
So clearly RFC6265 is broken with respect to bare IPv6 addresses, and
while the intent seems to be that :port was never supposed to be there,
it sure seems wrong to me to allow it in a URL, but not a cookie.
Comments?
Elijah
------
not expecting many
Eli the Bearded
Jan 24, 2012, 3:35:30 PM1/24/12
to
In comp.infosystems.www.misc, Eli the Bearded <*@eli.users.panix.com> wrote:
> So clearly RFC6265 is broken with respect to bare IPv6 addresses, and
> while the intent seems to be that :port was never supposed to be there,
> it sure seems wrong to me to allow it in a URL, but not a cookie.
>
> Comments?
For the record, I wrote to Adam Barth, author of RFC6265, with this
> So clearly RFC6265 is broken with respect to bare IPv6 addresses, and
> while the intent seems to be that :port was never supposed to be there,
> it sure seems wrong to me to allow it in a URL, but not a cookie.
>
> Comments?
question and got this reply:
| If we were designing cookies today, we'd definitely make it per-port.
| However, cookies are widely used on the Internet today and making this
| sort of change would break too many sites. For the most part, cookies
| are "done" in the sense that I wouldn't expect them to change much.
| Unfortunately, that means we stuck with cookies not respecting port
| number.
Elijah
------
damn ill-thought-out web "standards"
Ivan Shmakov
Jan 25, 2012, 12:48:58 AM1/25/12
to
>>>>> Eli the Bearded <*@eli.users.panix.com> writes:
[...]
> What I have is a single server with dev and live versions of a site
> running on different ports. I'd really like to have my session
> cookies stay with the appropriate version of the site, instead of
> each considering the other's invalid asking for a relogin.
Is there a reason not to use different DNS names, in addition
to, or instead of, different port numbers?
Assuming that the server already has a DNS name, it's rather
trivial to create an appropriate CNAME DNS RR with, say,
http://freedns.afraid.org/. And if it has none, it could be
assigned there just as well.
[...]
--
FSF associate member #7257
[...]
> What I have is a single server with dev and live versions of a site
> running on different ports. I'd really like to have my session
> cookies stay with the appropriate version of the site, instead of
> each considering the other's invalid asking for a relogin.
to, or instead of, different port numbers?
Assuming that the server already has a DNS name, it's rather
trivial to create an appropriate CNAME DNS RR with, say,
http://freedns.afraid.org/. And if it has none, it could be
assigned there just as well.
[...]
--
FSF associate member #7257
0 new messages