[Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.t

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.t

From:	Claudio Calvelli
Subject:	[Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.tld
Date:	Sat, 26 Apr 2008 14:36:44 +0100

(I looked throught the mailing list archives but I can't see anything
about this, most of the discussion seems to be about cookie paths
rather than domains)

I noticed this trying to log in to https://launchpad.net/ with 2.8.7dev.8
(and older versions). The server tries to set a cookie, but lynx
discards it silently. The server sends:

Set-Cookie: ... Domain=.launchpad.net; ...

the trace shows:

/tmp/lynx2-8-7/src/LYCookie.c: 442: store_cookie: Rejecting domain 
'.launchpad.net' for host 'launchpad.net'.

I understand that a host name 'domain.tld' can only set cookies for
itself (unlike 'www.domain.tld'), however shouldn't lynx ask the user
rather than discarding the cookies silently?

I made a patch to accept the invalid cookie in the special case of
domain.tld setting a cookie for .domain.tld - so I could log in to
the site. It doesn't tell the user that the cookie is invalid, it
just gives the normal "Allow? (Y/N/Always/neVer)" prompt. If people
think that this is acceptable, the patch is below.

C

--- src/LYCookie.c-orig 2008-04-26 10:08:09.000000000 +0100
+++ src/LYCookie.c      2008-04-26 11:05:15.000000000 +0100
@@ -226,6 +226,17 @@
            if (!strcasecomp((A + diff), B))
                return YES;
        }
+
+       /*
+        * a site "domain.tld" wishing to provide cookies for ".domain.tld"
+        * will not be matched by the above; the problem happens for example
+        * when one tries to login to launchpad.net; the cookie spec is
+        * unclear about this special case
+        */
+       if (diff == -1) {
+           if (!strcasecomp(A, (B - diff)))
+               return YES;
+       }
     }
     return NO;
 }
@@ -678,7 +689,9 @@
        next = hl->next;
 
        if ((co) &&             /* speed-up host_matches() and limit trace 
output */
-           (LYstrstr(hostname, co->domain) != NULL)) {
+           (LYstrstr(hostname, co->domain) != NULL ||
+            /* special case, see note in host_matches() */
+            (co->domain[0] == '.' && strcasecmp(hostname, co->domain+1) == 
0))) {
            CTrace((tfp, "Checking cookie %p %s=%s\n",
                    hl,
                    (co->name ? co->name : "(no name)"),

[Prev in Thread]

Current Thread

[Next in Thread]

[Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.tld, Claudio Calvelli <=
- Re: [Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.tld, Thomas Dickey, 2008/04/26
- Re: [Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.tld, Doug Kaufman, 2008/04/26
  - Re: [Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.tld, Claudio Calvelli, 2008/04/26

Prev by Date: Re: [Lynx-dev] Bug: CGI, POST-data
Next by Date: Re: [Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.tld
Previous by thread: [Lynx-dev] Bug: CGI, POST-data
Next by thread: Re: [Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.tld
Index(es):
- Date
- Thread