[Mailman-Developers] Cookie problems
Barry A. Warsaw
bwarsaw@beopen.com
Wed, 19 Jul 2000 16:09:37 -0400 (EDT)
>>>>> "DM" == Dan Mick <Dan.Mick@west.sun.com> writes:
DM> So, as I noted on mailman-users, I've been spending some time
DM> examining the cookie stuff. I found two things that raised my
DM> hackles a bit:
DM> 1) MakeCookie (in SecurityManager.py) is careful to keep track
DM> of "expires" as an int (converting the 'issued' time to int
DM> before adding ADMIN_COOKIE_LIFE), but "issued" remains a
DM> float. Floats for hard comparisons always make my hackles
DM> rise.
Oh yeah, so the other change I'm making is to coerce both issued and
expires to ints.
DM> 2) MakeCookie sets c[key]['expires'] to
DM> mm_cfg.ADMIN_COOKIE_LIFE, not to 'expires', which is
DM> calculated above; that means the cookie object doesn't have
DM> the 'issued' time added into its 'expires' field. Given that
DM> MakeCookie is apparently the source of the HTTP output, this
DM> seems wrong too.. seems like the Expires time is always going
DM> to be just the lifetime, not the actual expiry date.
DM> Am I misreading something?
[Dan answers his own question...]
DM> Yes...Cookie's _getdate() is used to set the expire time. How
DM> unintuitive!
NSS! (try to figure out /that/ acronym :)
Anyway, that surprises me too, so I've added a comment in the
SecurityManager code. I don't want to change Cookie.py if I don't
have to.
-Barry