Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Matts (1087)

Matts
  (email not shown publicly)

I work for MessageLabs [messagelabs.com] in Toronto, ON, Canada. I write spam filters, MTA software, high performance network software, string matching algorithms, and other cool stuff mostly in Perl and C.

Journal of Matts (1087)

Saturday August 05, 2006
09:33 AM

The strangeness of RFC-2109

[ #30536 ]

Yesterday I had cause to implement cookie parsing and generation within AxKit2. I had browsed a couple of modules for it, but they're all wrapped up in other means of getting the cookie header, so just to be certain I went to the source - the Cookie spec - RFC 2109.

What's very strange is that the cookie spec is only vaguely similar to what people send to the browser and expect back in the perl world.

Things that are different from what I've seen in perl implementations:

  • Expires isn't really valid (it's from the old Netscape implementation). The correct parameter is Max-Age. CGI::Cookie supports this but most other cookie libraries don't.
  • There's a Version attribute which is supposed to be sent in both directions. When it comes back it's $Version. Most cookie libraries will give you access to receive this, but not set it.
  • The Path attribute is sent back with the cookies from the client as $Path. Because cookie libraries compress all the cookies into a hash you can probably only access one of these.
  • When you send Set-Cookie you're also supposed to send Expires: [date far in past]

So now I'm trying to do the right thing with making all this work, but I'm not sure it's worth the effort.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Did you happen to look at HTTP::Cookies while you were looking at cookie handling modules?

    I'm currently debugging some warnings that seem to be coming out of HTTP::Cookies, specifically 'not defined' type warnings. But I haven't seen any other reports of this, so I'm wondering if I'm just dealing with some malformed or non-standard cookies. I'm thinking I should look at the cookies first, but maybe the module could use a tweak too.
  • I've been both reading up a little and trying some stuff out on various browsers. The state of things is well summarized on this page [modpython.org]:

    Even though there are official IETF RFC's describing HTTP State Management Mechanism using cookies, the de facto standard supported by most browsers is the original Netscape specification. Furthermore, true compliance with IETF standards is actually incompatible with many popular browsers, even those that claim to be RFC-compliant.

    Check out the reading list at the bottom, the