Forum OpenACS Development: Re: Cookie handling and IE

Posted by Mark Aufflick on

The cookie is set via the HTTP session header:

Set-Cookie: NAME=VALUE; expires=DATE;
path=PATH; domain=DOMAIN_NAME; secure

If we don't specify the domain= part, which leaves the decision about what host it is for up to the browser. RFC 2109 states the following about how user agents SHOULD interpret missing values:

4.3  User Agent Role

4.3.1  Interpreting Set-Cookie

   The user agent keeps separate track of state information that arrives
   via Set-Cookie response headers from each origin server (as
   distinguished by name or IP address and port).  The user agent
   applies these defaults for optional attributes that are missing:

   VersionDefaults to "old cookie" behavior as originally specified by
          Netscape.  See the HISTORICAL section.

   Domain Defaults to the request-host.  (Note that there is no dot at
          the beginning of request-host.)

   Max-AgeThe default behavior is to discard the cookie when the user
          agent exits.

   Path   Defaults to the path of the request URL that generated the
          Set-Cookie response, up to, but not including, the
          right-most /.

   Secure If absent, the user agent may send the cookie over an
          insecure channel.

and here is what it says about matching host names:

Hosts names can be specified either as an IP address or a FQHN
   string.  Sometimes we compare one host name with another.  Host A's
   name domain-matches host B's if

   * both host names are IP addresses and their host name strings match
     exactly; or

   * both host names are FQDN strings and their host name strings match
     exactly; or

   * A is a FQDN string and has the form NB, where N is a non-empty name
     string, B has the form .B', and B' is a FQDN string.  (So,
     domain-matches but not

   Note that domain-match is not a commutative operation:
   domain-matches, but not the reverse.

So leaving Domain blank should leave the fqdn hostname in the string to be matched against (notice where it says "does not start with a period"). If IE is doing something different - eg. dropping the hostname and leaving a domain instead, then that would explain the problem.

in the past I have specified an fqdn hostname for a cookie which appears to work fine. However, the spec for HTTP/1.0 state management says that shouldn't work:

      Optional.  The Domain attribute specifies the domain for which the
      cookie is valid.  An explicitly specified domain must always start
      with a dot.

I'm not sure I have helped here... Russell, do you have any comments?