Login | Register
My pages Projects Community openCollabNet

Discussions > dev > cookie handling by joist and noodle

Project highlights: Architectural Overview

Discussion topic

Back to topic list

cookie handling by joist and noodle

Author Andy Cooke <andrewc at owl dot co dot uk>
Full name Andy Cooke <andrewc at owl dot co dot uk>
Date 2001-09-19 10:47:36 PDT
Message Hi Folks,

I've been trying to sort out problems we were having with the document
downloads section of Tigris 1.0.8 (what a shame this is no longer open
source!). As a reminder, Colm's last email to the former
dev at releng dot tigris dot org list is posted at the end of this message.

It turns out that the ProjectDocumentAdd servlet would post documents with
"isPublic" set to false by default (should be true!?!), which forces the
Apache server to make use of the MDARealmMask of the mod_auth_mda module.
This module expects to receive a MDAAuth cookie. This cookie is set by both
ProjectDocumentList and ProjectDownloadList servlets, and sent with the
response object back to the client during re-direction. The transparent
HTTP proxy (Noodle) intercepts this, and Joist's CopyCookies.java filter
does some manipulation of the cookies (I'm yet to figure this bit out...)

So, mystified, I added a relay between my browsers and our site, to log the
HTTP being exchanged between client and browser. Pasted below are excerpts
from the log of a session with Internet Explorer:

...<Logging on to Tigris 1.0.8 for the first time, and the server returns

S1 HTTP/1.1 200 OK
S1 Date: Wed, 19 Sep 2001 15:21:47 GMT
S1 Server: Apache/1.3.17 (Unix) ApacheJServ/1.1.2 AuthMySQL/2.20
S1 HelmLoginID: guest
S1 Set-Cookie: JServSessionIdservle​ts=j2wa04io51; domain=.owl.co.uk; path=/
S1 Connection: close
S1 Content-Type: text/html
S1 X-Pad: avoid browser bug

...<then later, the IE client requests a download, and the MDAAuth cookie is

wnload HTTP/1.0
C36 Accept: */*
C36 Referer: http://owl-sqa.jake.​owl.co.uk/servlets/P​rojectDocumentList
C36 Accept-Language: en-gb
C36 Accept-Encoding: gzip, deflate
C36 User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
C36 Host: owl-sqa.jake.owl.co.uk
C36 Proxy-Connection: Keep-Alive
C36 Cookie: JServSessionIdservle​ts=j2wa04io51
S36 HTTP/1.1 302 Found
S36 Date: Wed, 19 Sep 2001 15:31:46 GMT
S36 Server: Apache/1.3.17 (Unix) ApacheJServ/1.1.2 AuthMySQL/2.20
S36 HelmLoginID: andrewc
S36 Set-Cookie:
expires=Thu, 20-Sep-2001 15:31:46 GMT; domain=.co.uk; path=/
S36 Location: http://www.jake.owl.​co.uk/files/document​s/13/4/index.html
S36 Connection: close
S36 Content-Type: text/html; charset=iso-8859-1

... <something's gone wrong, as IE then hasn't correctly set the MDAAuth
cookie. So the server chucks an MDABack cookie back at the client, with the
error page (in this case, the Document List) >

C37 GET http://www.jake.owl.​co.uk/files/document​s/13/4/index.html HTTP/1.0
C37 Accept: */*
C37 Referer: http://owl-sqa.jake.​owl.co.uk/servlets/P​rojectDocumentList
C37 Accept-Language: en-gb
C37 Accept-Encoding: gzip, deflate
C37 User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
C37 Host: www.jake.owl.co.uk
C37 Proxy-Connection: Keep-Alive
C37 Cookie: JServSessionIdservle​ts=j2wa04io51
S37 HTTP/1.1 302 Found
S37 Date: Wed, 19 Sep 2001 15:31:46 GMT
S37 Server: Apache/1.3.17 (Unix) ApacheJServ/1.1.2 AuthMySQL/2.20
S37 Set-Cookie:
s%2f13%2f4%2findex.h​tml%3frealm%3d20; path=/; domain=.jake.owl.co.uk
S37 Location: http://owl-sqa.jake.​owl.co.uk/servlets/P​rojectDocumentList
S37 Connection: close
S37 Content-Type: text/html; charset=iso-8859-1

Notice that when the MDAAuth cookie is set, the "expires=" field has been
set. This is the only difference I can see between the three instances of
Set-Cookie above.

I think in old netscape HTTP, it should be "Expires=", but why isn't the
"Max-Age=" field used instead? And where is the "expires=" written in the
first place? Is this by Apache?

Sorry for the long email. I realise that you probably are not making much
use of Joist now, but any insights would be gratefully recieved :-)

best wishes,

Andy Cooke

-------------- Colm McCarten's posting to dev at releng dot tigris dot org, 24/08/2001

>>>> > - Netscape seems to be the only browser that correctly handles the
>>>> > area... (on Windows opera and IE open a new window with a duplicate
>>>> > page). Also isn't there some problem about NS requiring a two-part
>>>> > COOKIE_DOMAIN? I would really appreciate any information anyone has
>>>> > since I haven't experienced problems in this area yet...
>>>> This should definitly be made to work on IE ASAP.
>>>IE and Mozilla 093 both work with HEAD from JR's sandbox.
>>For the record, this isn't the case in 1.0.8 which makes me think it must
be a
>>recent change - anybody know to what? When?
>I hate to repost but any takers on this? I know the functionality has moved
>nidaba so its tricky to see what has changed in CVS. Does anyone remember
>addressing this bug? I don't see anything in IZ (although maybe related to
>Even a pointer as to what might need looked at? I can't see anything in the
>generated HTML that looks dodgy so I'm thinking it is an Apache config

This seems to be something to do with cookies - I'm logging the
ProjectDocumentList's output and it seems fine but different clients are
different cookies - IE seeems to see a different domain path than NS (or
and after accepting this still goes to a duplicate of the page...

Anyone equally bothered by this?


To unsubscribe, e-mail: dev-unsubscribe@rele​ng.tigris.org
For additional commands, e-mail: dev-help at releng dot tigris dot org

To unsubscribe, e-mail: dev-unsubscribe@jois​t.tigris.org
For additional commands, e-mail: dev-help at joist dot tigris dot org

« Previous message in topic | 1 of 2 | Next message in topic »


Show all messages in topic

cookie handling by joist and noodle Andy Cooke <andrewc at owl dot co dot uk> Andy Cooke <andrewc at owl dot co dot uk> 2001-09-19 10:47:36 PDT
     Re: cookie handling by joist and noodle dlr Daniel Rall 2001-09-21 10:06:01 PDT
Messages per page: