Re: lynx-dev Accepting invalid cookies - was: cookie bug (not in lynx)

[brian j. pardy]

On 27 Dec 1998, Klaus Weide wrote:
> On Wed, 23 Dec 1998, brian j. pardy wrote:
> > From <URL:http://www.paradise.net.nz/~glineham/cookiemonster.html>:
> > 
> >     HTTP Cookie Bug Affecting Servers On Non-US Domains
> >
> > [...]
> > 
> > My concern here -- the patch in 2.8.1 that will accept cookies with
> > invalid domains *IF* ACCEPT_ALL_COOKIES is enabled. 
> > 
> > This is either a bug or a feature, depending on what ACCEPT_ALL_COOKIES is
> > defined to mean.
> 
> I agree that there is a problem.  ACCEPT_ALL_COOKIES is currently
> overloaded to mean (at least) two things:
> 
> (1) Accept cookies from all domains
> (2) Accept (some) invalid cookies
> 
> That means that (a) if you set ACCEPT_ALL_COOKIES because you don't want to
> be prompted for new cookies from new domains, you get the side effect of
> accepting even invalid cookies; and (b) if you set ACCEPT_ALL_COOKIES to
> work around some problem with a specific site, you won't be prompted for
> new domains at all.

My original thoughts in implementing ACCEPT_ALL_COOKIES were for it to 
simply be a toggle that would allow one to automatically bypass the 
"accept cookie <foo> from domain <bar>" prompt.  

> These are conceptuallt two different things, they should be controllable
> by separate options.  Either an additional flag/option is needed, or
> even a way to allow (some) invalid cookies on a per-domain basis.

Perhaps a new option similar to COOKIE_ACCEPT_DOMAINS to specify
servers that are specifically allowed to set invalid domains?  I can't
think of any way to allow such things without violating the
specification, but it's pretty obvious that some people want such
things to be allowed.

There seem to be problems with the spec as it now exists.  A few posts
on BUGTRAQ have pointed out some of the problems -- it seems like a
browser following the spec will still be open to problems.

See:

<URL:http://www.geek-girl.com/bugtraq/1998_4/0741.html>

> The behavior of ACCEPT_ALL_COOKIES is also not consistently documented:
> The Users Guide says that "... Lynx will accept all cookies."  The
> comment in lynx.cfg says that "... Lynx will accept cookies from all
> domains with no user interaction."  Nothing is said about the effect on
> checking or validity.

I'm not sure which is the best description.  I didn't intend to bypass
the checking/validity in the first place, so either comment explains
my original intent -- "Behave as if 'A' were pressed whenever prompted 
for a cookie".

> I checked some of the history of ACCEPT_ALL_COOKIES in the archives.  I
> get the impression that at first this flag just meant "accept cookies
> from all domains", although I didn't check that far back.  (Correct me
> if I am wrong.)

That's correct (although if a cookie would never have come to the
point where the user is prompted for it, ACCEPT_ALL_COOKIES would have 
had no effect).

> The more permissive behavior seems to have been
> introduced in two stages: first, the INVALID_COOKIE_DOMAIN_CONFIRMATION
> prompt was skipped for LYAcceptAllCookies.  Later, the much broader
> change came based on the following exchange:
> 
>    Linkname: lynx-dev Version 0 cookie suggestion & minimal patch
>         URL: http://www.flora.org/lynx-dev/html/month1098/msg00829.html
> 
>    Linkname: Re: lynx-dev Version 0 cookie suggestion & minimal patch
>         URL: http://www.flora.org/lynx-dev/html/month1098/msg00844.html
> 
> This 2nd change, the "if (co->version != 0 || !LYAcceptAllCookies)"
> around _all_ the initial checks in store_cookie, is _much_ too broad.
> Most notably it completely bypasses the "if (!host_matches(...))" test,
> so that cookies become completely promiscuous.  A better approach would
> have been to bypass just those tests that create problems in concrete
> cases.

Not having this code in front of me or remembering what I was thinking
at the time, I'm inclined to agree with you.

> [...]
> To summarize, IMO Lynx should (1) have at least something like an
> additional flag/option -accept_some_invalid_cookies (or
> -relaxed_cookie_checking?  or -something_completely_different?), and
> (2) don't accept all cookies completely unchecked _even if_ that flag
> is set.

Agree with (2), possibly agree with (1).  I personally don't think 
a server should be allowed to violate spec by sending illegal cookies
(I think the original problem was with my.yahoo.com), but the Big
Browsers seem to allow this, and at least one person wanted it.

-- 
GPG & PGP public keys: <URL:http://www.psnw.com/~posterkid/keys/> 
PGP fingerprint: 42 57 B3 D2 39 8E 74 C3  5E 4D AC 43 25 D2 26 D4