tags:

views:

59

answers:

2
+2  Q: 

RFC question about cookies and paths

I'm trying to set a session cookie restricted to a particular path (let's say /foo) when a user logs in. The complication being that the login page is on /, but the request immediately redirects to /foo/something. Something like this:

Request:

POST / HTTP/1.1

username=foo&password=bar

Response:

HTTP/1.0 302 Found
Location: http://example.com/foo/home
Set-Cookie: session=whatever; path=/foo

However, the relevant bits of the RFCs I could find (rfc2109 and rfc2965) say this:

To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:

  • The value for the Path attribute is not a prefix of the request- URI.

...

The cookie-setting process described above seems to work okay, but as far as I can tell the RFCs are saying it shouldn't.

I'd like to use this in a production system, but I really don't want to do that if I'm going to face horrible browser incompatibility problems later.

Am I misreading the RFCs?

Thanks in advance!

A: 

Based on your question, I think your understanding of the RFC is correct. It sounds like you want to set the cookie after the redirect to '/foo/home'. I think the real question is: "How do you tell '/foo/home' that the user was authenticated correctly by '/'?"

If you must use a Location header (redirect) to get from '/' to '/foo/home', it seems the only way to do this would be to use a query string parameter in the Location header's value.

Maybe a design question to consider is: why are users authenticating against a URL outside of the path they will be accessing securely? If the only secure content is under '/foo', then why not POST to '/foo/login' instead of '/' for authentication?

AJ  2010-01-27 14:13:36
+1  A: 

Don't pay any attention to those RFCs; they diverge from reality pretty badly.

There's currently an IETF WG that's documenting actual cookie behaviour; their document, while just a draft, is much better source material.

See: http://datatracker.ietf.org/doc/draft-ietf-httpstate-cookie/

If you don't find text that addresses your question in the draft, bring it up with the Working Group!

Mark Nottingham  2010-04-30 06:59:27

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.