>> And, while we're talking about cookies: Does anyone know
>> whether switching from the cookie attribute "Expires" (which
>> was part of the original Netscape cookie proposal) to the
>> RFC2109 cookie attribute "Max-Age" is likely to cause any
>> problems?
It appears to, at least with NS.
I've been trying to fix the cookie authentication problem, and have been experimenting with various things, including max-age vs expires. As near as I can tell, with NS 4.73 (and probably earlier), if I set max-age but not expires, NS never saves the cookie to disk. I.e. it treats it like a session cookie, sending it just fine when requested until the browser is exited. The cookie is lost when NS is started up the next time. This is not desirable.
I've only played with MSIE a little bit and it seems to make no difference with it. Neither does it make a difference with Lynx. So, I'm not going to make this change.
Now, what could possibly be confusing some browsers, and causing the unexpected re-authorization problems, might be related to binary data in the cookie value and improper quoting. What Cookie.py does is, if the value is not a string, it pickles the object and sets the value to the pickled representation. This will contain 8-bit data, including possibly quote characters, semi-colons, etc. I have a feeling that some of these combinations are just not handled correctly by some browsers. Subsequent log-ins succeed because the current time is different enough that the cookie value doesn't contain any of those wacky characters.
So I've made two changes. First, I'm using sha instead of md5 to generate the hash of password+current_time+expires_time -- I don't think this'll make any real difference. Second, I'm `hexlifying' the cookie value. This guarantees that the value will contain only characters [0-9][a-f] so no quoting should be necessary and there will be no strange characters to confuse things.
My access to browsers if very limited so I have no idea if this fixes things or not. For NS4.73, MSIE5, and Lynx, it doesn't seem to make the situation /worse/.
I'll be checking these changes in over the next hour or so, so please do an update and see what you think.
-Barry