Eli the Bearded
2012-01-24 06:53:34 UTC
I know from testing that trying to set a cookie with the domain
set to match the name and port of the server is not accepted by
Firefox. I'm curious if this is an oversight on their part or
a real limitation of cookies.
What I have is a single server with dev and live versions of a
site running on different ports. I'd really like to have my
session cookies stay with the appropriate version of the site,
instead of each considering the other's invalid asking for a
relogin.
I've read the BNF in RFC6265 section 4.1, and it refers to
domains:
domain-av = "Domain=" domain-value
domain-value = <subdomain>
; defined in [RFC1034], Section 3.5, as
; enhanced by [RFC1123], Section 2.1
Trouble is RFC1034 and RFC1123 are (1) ancient (no IPv6 support
in *those*) and (2) not the same definition of a host name used
by HTTP.
RFC1034 disallows domains that start with a number, while enhancement
of RFC1123 fixes that. But you've got a domain with labels from [a-z0-9-]
or a dotted quad. This matches the definition of <host> in RFC1738,
but that has been obsoleted by RFC3986, which does allow a IPv6address.
So clearly RFC6265 is broken with respect to bare IPv6 addresses, and
while the intent seems to be that :port was never supposed to be there,
it sure seems wrong to me to allow it in a URL, but not a cookie.
Comments?
Elijah
------
not expecting many
set to match the name and port of the server is not accepted by
Firefox. I'm curious if this is an oversight on their part or
a real limitation of cookies.
What I have is a single server with dev and live versions of a
site running on different ports. I'd really like to have my
session cookies stay with the appropriate version of the site,
instead of each considering the other's invalid asking for a
relogin.
I've read the BNF in RFC6265 section 4.1, and it refers to
domains:
domain-av = "Domain=" domain-value
domain-value = <subdomain>
; defined in [RFC1034], Section 3.5, as
; enhanced by [RFC1123], Section 2.1
Trouble is RFC1034 and RFC1123 are (1) ancient (no IPv6 support
in *those*) and (2) not the same definition of a host name used
by HTTP.
RFC1034 disallows domains that start with a number, while enhancement
of RFC1123 fixes that. But you've got a domain with labels from [a-z0-9-]
or a dotted quad. This matches the definition of <host> in RFC1738,
but that has been obsoleted by RFC3986, which does allow a IPv6address.
So clearly RFC6265 is broken with respect to bare IPv6 addresses, and
while the intent seems to be that :port was never supposed to be there,
it sure seems wrong to me to allow it in a URL, but not a cookie.
Comments?
Elijah
------
not expecting many