[Mailman-Developers] Cookie problems

[Barry A. Warsaw]

>>>>> "DM" == Dan Mick <Dan.Mick@west.sun.com> writes:

    DM> So, as I noted on mailman-users, I've been spending some time
    DM> examining the cookie stuff.  I found two things that raised my
    DM> hackles a bit:

    DM> 1) MakeCookie (in SecurityManager.py) is careful to keep track
    DM> of "expires" as an int (converting the 'issued' time to int
    DM> before adding ADMIN_COOKIE_LIFE), but "issued" remains a
    DM> float.  Floats for hard comparisons always make my hackles
    DM> rise.

Oh yeah, so the other change I'm making is to coerce both issued and
expires to ints.

    DM> 2) MakeCookie sets c[key]['expires'] to
    DM> mm_cfg.ADMIN_COOKIE_LIFE, not to 'expires', which is
    DM> calculated above; that means the cookie object doesn't have
    DM> the 'issued' time added into its 'expires' field.  Given that
    DM> MakeCookie is apparently the source of the HTTP output, this
    DM> seems wrong too..  seems like the Expires time is always going
    DM> to be just the lifetime, not the actual expiry date.

    DM> Am I misreading something?

[Dan answers his own question...]

    DM> Yes...Cookie's _getdate() is used to set the expire time.  How
    DM> unintuitive!

NSS!  (try to figure out /that/ acronym :)

Anyway, that surprises me too, so I've added a comment in the
SecurityManager code.  I don't want to change Cookie.py if I don't
have to.

-Barry