Login | Register
My pages Projects Community openCollabNet

Discussions > dev > Re: cookie handling by joist and noodle

Project highlights: Architectural Overview

joist
Discussion topic

Hide all messages in topic

All messages in topic

Re: cookie handling by joist and noodle

Author dlr
Full name Daniel Rall
Date 2001-09-21 10:06:01 PDT
Message FWIW, this issue is completely unrelated to Joist.

"Andy Cooke" <andrewc at owl dot co dot uk> writes:

> Notice that when the MDAAuth cookie is set, the "expires=" field has been
> set. This is the only difference I can see between the three instances of
> Set-Cookie above.

The expires field is written by the servlet container's implementation
of the servlet API (see line 211 of JServUtils). The value of the
cookie expires header corresponds to the call to cookie.setMaxAge(int)
in MDACookie's write() method.

> I think in old netscape HTTP, it should be "Expires=", but why isn't the
> "Max-Age=" field used instead? And where is the "expires=" written in the
> first place? Is this by Apache?

I'm not sure that the cookie expires header has to follow quite the
same rules as the HTTP Expires header, since it is but a field of the
Set-Cookie header.


                             Daniel Rall

--------------------​--------------------​--------------------​---------
To unsubscribe, e-mail: dev-unsubscribe@jois​t.tigris.org
For additional commands, e-mail: dev-help at joist dot tigris dot org

cookie handling by joist and noodle

Author Andy Cooke <andrewc at owl dot co dot uk>
Full name Andy Cooke <andrewc at owl dot co dot uk>
Date 2001-09-19 10:47:36 PDT
Message Hi Folks,

I've been trying to sort out problems we were having with the document
downloads section of Tigris 1.0.8 (what a shame this is no longer open
source!). As a reminder, Colm's last email to the former
dev at releng dot tigris dot org list is posted at the end of this message.

It turns out that the ProjectDocumentAdd servlet would post documents with
"isPublic" set to false by default (should be true!?!), which forces the
Apache server to make use of the MDARealmMask of the mod_auth_mda module.
This module expects to receive a MDAAuth cookie. This cookie is set by both
ProjectDocumentList and ProjectDownloadList servlets, and sent with the
response object back to the client during re-direction. The transparent
HTTP proxy (Noodle) intercepts this, and Joist's CopyCookies.java filter
does some manipulation of the cookies (I'm yet to figure this bit out...)

So, mystified, I added a relay between my browsers and our site, to log the
HTTP being exchanged between client and browser. Pasted below are excerpts
from the log of a session with Internet Explorer:

...<Logging on to Tigris 1.0.8 for the first time, and the server returns
this>

S1 HTTP/1.1 200 OK
S1 Date: Wed, 19 Sep 2001 15:21:47 GMT
S1 Server: Apache/1.3.17 (Unix) ApacheJServ/1.1.2 AuthMySQL/2.20
S1 HelmLoginID: guest
S1 Set-Cookie: JServSessionIdservle​ts=j2wa04io51; domain=.owl.co.uk; path=/
S1 Connection: close
S1 Content-Type: text/html
S1 X-Pad: avoid browser bug
S1
...

...<then later, the IE client requests a download, and the MDAAuth cookie is
returned>

C36 GET
http://owl-sqa.jake.​owl.co.uk/servlets/P​rojectDocumentList?d​cID=19&action=do​
wnload HTTP/1.0
C36 Accept: */*
C36 Referer: http://owl-sqa.jake.​owl.co.uk/servlets/P​rojectDocumentList
C36 Accept-Language: en-gb
C36 Accept-Encoding: gzip, deflate
C36 User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
C36 Host: owl-sqa.jake.owl.co.uk
C36 Proxy-Connection: Keep-Alive
C36 Cookie: JServSessionIdservle​ts=j2wa04io51
C36
S36 HTTP/1.1 302 Found
S36 Date: Wed, 19 Sep 2001 15:31:46 GMT
S36 Server: Apache/1.3.17 (Unix) ApacheJServ/1.1.2 AuthMySQL/2.20
S36 HelmLoginID: andrewc
S36 Set-Cookie:
MDAAuth=9cd15a061b21​128c58136492a1e06c3e​3ba8ba62andrewc@owl.​co.uk!2000!;
expires=Thu, 20-Sep-2001 15:31:46 GMT; domain=.co.uk; path=/
S36 Location: http://www.jake.owl.​co.uk/files/document​s/13/4/index.html
S36 Connection: close
S36 Content-Type: text/html; charset=iso-8859-1
S36
...

... <something's gone wrong, as IE then hasn't correctly set the MDAAuth
cookie. So the server chucks an MDABack cookie back at the client, with the
error page (in this case, the Document List) >

C37 GET http://www.jake.owl.​co.uk/files/document​s/13/4/index.html HTTP/1.0
C37 Accept: */*
C37 Referer: http://owl-sqa.jake.​owl.co.uk/servlets/P​rojectDocumentList
C37 Accept-Language: en-gb
C37 Accept-Encoding: gzip, deflate
C37 User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
C37 Host: www.jake.owl.co.uk
C37 Proxy-Connection: Keep-Alive
C37 Cookie: JServSessionIdservle​ts=j2wa04io51
C37
S37 HTTP/1.1 302 Found
S37 Date: Wed, 19 Sep 2001 15:31:46 GMT
S37 Server: Apache/1.3.17 (Unix) ApacheJServ/1.1.2 AuthMySQL/2.20
S37 Set-Cookie:
MDABack=www.jake.owl​.co.ukhttp%3a%2f%2fw​ww.jake.owl.co.uk%2f​files%2fdocument
s%2f13%2f4%2findex.h​tml%3frealm%3d20; path=/; domain=.jake.owl.co.uk
S37 Location: http://owl-sqa.jake.​owl.co.uk/servlets/P​rojectDocumentList
S37 Connection: close
S37 Content-Type: text/html; charset=iso-8859-1
S37
...


Notice that when the MDAAuth cookie is set, the "expires=" field has been
set. This is the only difference I can see between the three instances of
Set-Cookie above.

I think in old netscape HTTP, it should be "Expires=", but why isn't the
"Max-Age=" field used instead? And where is the "expires=" written in the
first place? Is this by Apache?

Sorry for the long email. I realise that you probably are not making much
use of Joist now, but any insights would be gratefully recieved :-)

best wishes,

Andy Cooke




-------------- Colm McCarten's posting to dev at releng dot tigris dot org, 24/08/2001

>>>> > - Netscape seems to be the only browser that correctly handles the
docs
>>download
>>>> > area... (on Windows opera and IE open a new window with a duplicate
of
the
>>>> > page). Also isn't there some problem about NS requiring a two-part
>>>> > COOKIE_DOMAIN? I would really appreciate any information anyone has
on
>this
>>>> > since I haven't experienced problems in this area yet...
>>>>
>>>> This should definitly be made to work on IE ASAP.
>>>
>>>IE and Mozilla 093 both work with HEAD from JR's sandbox.
>>
>>For the record, this isn't the case in 1.0.8 which makes me think it must
be a
>>recent change - anybody know to what? When?
>
>I hate to repost but any takers on this? I know the functionality has moved
to
>nidaba so its tricky to see what has changed in CVS. Does anyone remember
>addressing this bug? I don't see anything in IZ (although maybe related to
#37)
>Even a pointer as to what might need looked at? I can't see anything in the
>generated HTML that looks dodgy so I'm thinking it is an Apache config
thing...
>clues?

This seems to be something to do with cookies - I'm logging the
ProjectDocumentList's output and it seems fine but different clients are
seeing
different cookies - IE seeems to see a different domain path than NS (or
Opera)
and after accepting this still goes to a duplicate of the page...

Anyone equally bothered by this?

colm


--------------------​--------------------​--------------------​---------
To unsubscribe, e-mail: dev-unsubscribe@rele​ng.tigris.org
For additional commands, e-mail: dev-help at releng dot tigris dot org
-------------------


--------------------​--------------------​--------------------​---------
To unsubscribe, e-mail: dev-unsubscribe@jois​t.tigris.org
For additional commands, e-mail: dev-help at joist dot tigris dot org
Messages per page: