A co-worker pointed out to me that different Mozilla versions seems to
have been swinging back and forth on whether the port number should be
included in cookies or not. Bugzilla
bug 142803
discusses this, and also references an older
bug 99311
entered by
Hrvoje Niksic
back in 2001 when he was working at aD.
This same issue has definitely been discussed here before, in
Sept. 2002
and
Feb. 2003
(And here are some other threads that might also be relevent threads,
from:
April,
May,
and
June
2002.)
The Bugzilla entries say that the relevent RFCs
(2109 and
2965)
specify that "cookie domain" defaults to the request-host,
and that request-host does not include the port. However, that
bugzilla bug report does not seem to say anything at all about what
Mozilla's behavior is or should be when the cookie domain is
not allowed to default, but is explicitly given by
the server setting the cookie.
I did not really read the RFCs, however, am I correct in assuming that
the above means we can get whatever behavior we want if the
OpenACS code always specifies the cookie domain?
In OpenACS 4.6.2,
ad_set_cookie
and
ad_set_signed_cookie
do include a -domain option, but none of the other code
in OpenACS (basically just stuff in
acs-tcl/tcl/security-procs.tcl)
every seems to specify -domain at all.
So... several general questions:
- Do the Mozilla people currently (finally?) have it right? Are
they leaving anything out, or should anyone here contact them
further?
- What exactly is the current status of cookie handling in
OpenACS? Under what scenarios of current or possible Mozilla
behavior will current OpenACS work correctly with sites using port
numbers in the URL? What about in combination with SSL? What can
or should be changed to make OpenACS work with different (all?)
scenarios? (And what about IE?)
