Message 125423 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	karlcow
Recipients	BM, BreamoreBoy, aclover, akuchling, dstanek, georg.brandl, jerry.seutter, jjlee, karlcow, r.david.murray, tim.peters
Date	2011年01月05日.13:23:36
SpamBayes Score	2.8120181e-05
Marked as misclassified	No
Message-id	<1294233818.15.0.106426649592.issue2193@psf.upfronthosting.co.za>

Content
John: Ah sorry, if I misunderstood. The bug seems to say that it is about the Cookie Name and legal chars for this cookie name. What I was trying to say is that the processing of the Cookie Name is different depending if you are a client or a server and that there is a specification being developed by Adam Barth (part of browser vendors) to obsolete RFC 2109. In the case of Server sending to the Client Set-Cookie: Name=Value The rules for production of the cookies must be strict. Always. aka the module is used for creating a cookie and indeed the "colon" character is forbidden. The "token" syntax for valid chars and invalid chars are defined now in RFC2696. It means that any US-ASCII characters EXCEPT those are authorized: control characters (octets 0-31) and DEL (octet 127) and, the following characters "(", ")", "<", ">", "@", ",", ";", ":", "", "/", "[", "]", "?", "=", "{", "}", the double quote character itself, US-ASCII SP (octet 32) or the tabulation (octet 9) Then if you use the Cookie Module for a client it is not anymore the same story. In the case of Client storing the value of the cookie sent by a server. See the section "5.2. The Set-Cookie Header", http://tools.ietf.org/html/draft-ietf-httpstate-cookie-20#section-5.2 quote: If the user agent does not ignore the Set-Cookie header field in its entirety, the user agent MUST parse the field-value of the Set-Cookie header field as a set-cookie-string (defined below). NOTE: The algorithm below is more permissive than the grammar in Section 4.1. For example, the algorithm strips leading and trailing whitespace from the cookie name and value (but maintains internal whitespace), whereas the grammar in Section 4.1 forbids whitespace in these positions. User agents use this algorithm so as to interoperate with servers that do not follow the recommendations in Section 4." /quote then the algorithm is described. Which means that what the server will parse will not be necessary what the server have generated. Section 5.4 says how the Cookie Header should be sent to the server with an algorithm for what will receive the server. John, do you think there is a missing algorithm for parsing the value of cookie header when sent by the client?

Content

John: Ah sorry, if I misunderstood. The bug seems to say that it is about the Cookie Name and legal chars for this cookie name. What I was trying to say is that the processing of the Cookie Name is different depending if you are a client or a server *and* that there is a specification being developed by Adam Barth (part of browser vendors) to obsolete RFC 2109.
In the case of Server sending to the Client
Set-Cookie: Name=Value
The rules for production of the cookies must be strict. Always. aka the module is used for creating a cookie and indeed the "colon" character is forbidden. The "token" syntax for valid chars and invalid chars are defined now in RFC2696. It means that any US-ASCII characters EXCEPT those are authorized:
control characters (octets 0-31) and DEL (octet 127) and, the following characters "(", ")", "<", ">", "@", ",", ";", ":", "", "/", "[", "]", "?", "=", "{", "}", the double quote character itself, US-ASCII SP (octet 32) or the tabulation (octet 9)
Then if you use the Cookie Module for a client it is not anymore the same story.
In the case of Client storing the value of the cookie sent by a server.
See the section "5.2. The Set-Cookie Header",
http://tools.ietf.org/html/draft-ietf-httpstate-cookie-20#section-5.2
quote:

If the user agent does not ignore the Set-Cookie header
field in its entirety, the user agent MUST parse the
field-value of the Set-Cookie header field as a
set-cookie-string (defined below).

NOTE: The algorithm below is more permissive than the
grammar in Section 4.1. For example, the algorithm strips
leading and trailing whitespace from the cookie name and
value (but maintains internal whitespace), whereas the
grammar in Section 4.1 forbids whitespace in these
positions. User agents use this algorithm so as to
interoperate with servers that do not follow the
recommendations in Section 4."
/quote
then the algorithm is described. Which means that what the server will parse will not be necessary what the server have generated.
Section 5.4 says how the Cookie Header should be sent to the server with an algorithm for what will receive the server.
John, do you think there is a missing algorithm for parsing the value of cookie header when sent by the client?

History
Date	User	Action	Args
2011年01月05日 13:23:38	karlcow	set	recipients: + karlcow, tim.peters, akuchling, georg.brandl, jjlee, dstanek, jerry.seutter, BM, aclover, r.david.murray, BreamoreBoy
2011年01月05日 13:23:38	karlcow	set	messageid: <1294233818.15.0.106426649592.issue2193@psf.upfronthosting.co.za>
2011年01月05日 13:23:36	karlcow	link	issue2193 messages
2011年01月05日 13:23:36	karlcow	create

homepage