[Mailman-Developers] cookies

Harald Meland Harald.Meland@usit.uio.no
10 May 2000 23:04:11 +0200 

[Ricardo Kustner]

> Hi,
> 
> On Tue, May 09, 2000 at 09:12:49PM +0200, Harald Meland wrote:
> > > > Please write a patch which puts the string "Cookie could not be set" on the
> > > > web page so that I can see that pressing submit will not work :-)
> > > i think thats a good point... it would safe some user questions if
> > > MM tells exactly why the authorisation failed.
> > While I agree that such a warning would be nice, I don't think it's
> > possible to do such things with cookies.
> it's possible to set a test cookie to see if cookies are
> enabled...

Ahh, I didn't even think of using multiple cookies :)

If I understand you correctly, you're proposing something like this:

  Whenever Mailman is about to write a login page (i.e. the user is
  not already authenticated), it first issues a

    Set-Cookie: Mailman_cookie_test="This cookie is only used to test whether your browser will be able to authenticate with Mailman"; Version=1

  HTTP header (If other Mailman cookies set attributes like Path or
  Domain, the test cookie should mirror these to make the test reflect
  real usage).

  Next, once the user has pressed the "Let me in..."  button, Mailman
  checks whether the Cookie has been sent back.  If it hasn't,
  authentication fails (as the user won't be able to make any changes
  anyway), and Mailman instructs the user to enable Cookies in her
  browser before retrying login.

  If the test Cookie is present, Mailman should issue a

    Set-Cookie: Mailman_cookie_test="clickety click"; Max-Age=0; Version=1

  HTTP header (to delete the test cookie, so that the test cookie
  isn't later confused with test cookies for login attempts at other
  lists).

  Finally, Mailman proceeds with password authentication as usual,
  possibly resulting in an authentication cookie.

Hmmmm... I guess the test cookie should contain info on what list it
is for, as well.

Have I understood you correctly?  Does anyone think that implementing
this (apart from my misunderstandings, of course :) would be a bad
thing?



And, while we're talking about cookies: Does anyone know whether
switching from the cookie attribute "Expires" (which was part of the
original Netscape cookie proposal) to the RFC2109 cookie attribute
"Max-Age" is likely to cause any problems?

I've had a look at Cookie.py, and the value part of the Expires
attribute isn't enclosed in double quotes (in accordance with the
original Netscape cookie proposal), which I believe might confuse
Mailman in some situations where the browser sends back more than one
cookie.

Of course, if there are any (major) browsers in use out there that
doesn't understand Max-Age, it would be a bad idea to change Mailman.
-- 
Harald