Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Discouraging the use of HTTP::Cookies
0 views
Skip to first unread message
Tom Hukins
Apr 17, 2016, 9:45:03 AM4/17/16
to lib...@perl.org
Hi,
In November 2015 I gave a talk at London.pm about managing HTTP cookies
in Perl. As a consequence, I sent a documentation patch to the
HTTP::Cookies module to discourage its use:
https://github.com/gisle/http-cookies/pull/7
My patch includes a test script demonstrating the module's limitations:
https://github.com/gisle/http-cookies/pull/7/commits/ae00b4ed6aedc1cce72c0e8ddf5e7e8fbba417a8
Last week at London.pm's Perl Hack Day I published a Perl::Critic
policy to detect code that uses HTTP::Cookies:
https://metacpan.org/release/Perl-Critic-Policy-HTTPCookies
I want to share this because it looks like my HTTP::Cookies patch won't
get reviewed or released any time soon. I'd like to encourage readers
to consider using HTTP::CookieJar or HTTP::CookieJar::LWP instead.
Tom
In November 2015 I gave a talk at London.pm about managing HTTP cookies
in Perl. As a consequence, I sent a documentation patch to the
HTTP::Cookies module to discourage its use:
https://github.com/gisle/http-cookies/pull/7
My patch includes a test script demonstrating the module's limitations:
https://github.com/gisle/http-cookies/pull/7/commits/ae00b4ed6aedc1cce72c0e8ddf5e7e8fbba417a8
Last week at London.pm's Perl Hack Day I published a Perl::Critic
policy to detect code that uses HTTP::Cookies:
https://metacpan.org/release/Perl-Critic-Policy-HTTPCookies
I want to share this because it looks like my HTTP::Cookies patch won't
get reviewed or released any time soon. I'd like to encourage readers
to consider using HTTP::CookieJar or HTTP::CookieJar::LWP instead.
Tom
Tom Hukins
Apr 17, 2016, 12:00:02 PM4/17/16
to lib...@perl.org
On Sun, Apr 17, 2016 at 11:40:43AM -0400, Mark Gardner wrote:
> Another suggestion: submit PRs to port these CPAN dists to use
> HTTP::CookieJar[::LWP] instead of HTTP::Cookies:
>
> https://metacpan.org/requires/distribution/HTTP-Cookies
Definitely! I mentioned that in my talk last November and I intend to
work through some of the more popular modules listed.
However, some installations might rely on the bad behaviour. We'll need
to think carefully before submitting patches. Some years ago, LWP was
fixed to reject invalid SSL certificates when using https. This made
environments more secure, but broke various people's working code
unexpectedly.
But yes, if anyone (including you and me) finds a module where moving
away from HTTP::Cookies makes sense, we should send a patch to make it
do so.
Tom
> Another suggestion: submit PRs to port these CPAN dists to use
> HTTP::CookieJar[::LWP] instead of HTTP::Cookies:
>
> https://metacpan.org/requires/distribution/HTTP-Cookies
Definitely! I mentioned that in my talk last November and I intend to
work through some of the more popular modules listed.
However, some installations might rely on the bad behaviour. We'll need
to think carefully before submitting patches. Some years ago, LWP was
fixed to reject invalid SSL certificates when using https. This made
environments more secure, but broke various people's working code
unexpectedly.
But yes, if anyone (including you and me) finds a module where moving
away from HTTP::Cookies makes sense, we should send a patch to make it
do so.
Tom
0 new messages