[Mailman-Developers] cookies

Barry A. Warsaw bwarsaw@beopen.com
Wed, 19 Jul 2000 15:57:44 -0400 (EDT) 

    >> And, while we're talking about cookies: Does anyone know
    >> whether switching from the cookie attribute "Expires" (which
    >> was part of the original Netscape cookie proposal) to the
    >> RFC2109 cookie attribute "Max-Age" is likely to cause any
    >> problems?

It appears to, at least with NS.

I've been trying to fix the cookie authentication problem, and have
been experimenting with various things, including max-age vs expires.
As near as I can tell, with NS 4.73 (and probably earlier), if I set
max-age but not expires, NS never saves the cookie to disk.  I.e. it
treats it like a session cookie, sending it just fine when requested
until the browser is exited.  The cookie is lost when NS is started up
the next time.  This is not desirable.

I've only played with MSIE a little bit and it seems to make no
difference with it.  Neither does it make a difference with Lynx.  So,
I'm not going to make this change.

Now, what could possibly be confusing some browsers, and causing the
unexpected re-authorization problems, might be related to binary data
in the cookie value and improper quoting.  What Cookie.py does is, if
the value is not a string, it pickles the object and sets the value to
the pickled representation.  This will contain 8-bit data, including
possibly quote characters, semi-colons, etc.  I have a feeling that
some of these combinations are just not handled correctly by some
browsers.  Subsequent log-ins succeed because the current time is
different enough that the cookie value doesn't contain any of those
wacky characters.

So I've made two changes.  First, I'm using sha instead of md5 to
generate the hash of password+current_time+expires_time -- I don't
think this'll make any real difference.  Second, I'm `hexlifying' the
cookie value.  This guarantees that the value will contain only
characters [0-9][a-f] so no quoting should be necessary and there will
be no strange characters to confuse things.

My access to browsers if very limited so I have no idea if this fixes
things or not.  For NS4.73, MSIE5, and Lynx, it doesn't seem to make
the situation /worse/.

I'll be checking these changes in over the next hour or so, so please
do an update and see what you think.

-Barry