Hello list,
The current version of Drakma contains a check of cookie domains' validity. A (textual) domain is considered to be valid iff either it contains a dot or is exactly "localhost". I'm sure there is a reason for this (perhaps some part of a relevant RFC?), but I got bitten by it in a real-world scenario. I was using Drakma for testing of a Java EE-based web application at my company, accessible at the internal address "http://someserver:9090/gui/app". The relevant headers returned are:
DRAKMA> (http-request "http://someserver:9090/gui/app") ==> "blah blah blah, some HTML" 200 ((:X-POWERED-BY . "Servlet/2.5") (:SERVER . "Sun Java System Application Server 9.1") (:SET-COOKIE . "JSESSIONID=41165991cdf70add1d9e0a103cfc; Path=/gui") (:CONTENT-TYPE . "text/html;charset=UTF-8") (:DATE . "Tue, 15 Jul 2008 00:14:24 GMT") (:CONNECTION . "close")) #<URI http://someserver:9090/gui/app%3E #<FLEXI-STREAMS::FLEXI-UTF-8-IO-STREAM {BB78A59}> T "OK"
and if I pass a cookie jar to such HTTP-REQUEST, the returned cookie is not included in the jar due to the checking machinery. FWIW, Firefox 3 does include it (and so the app works on Firefox 3, but fails the Drakma tests).
I quickly hacked up a patch (attached) to Drakma which adds a special variable *ALLOW-DOTLESS-COOKIE-DOMAINS-P*, which, when set to non-NIL, causes the domains like SOMESERVER to be accepted.
Might it be useful to include in the official distribution?
Best regards,
Hi Daniel,
On Mon, 14 Jul 2008 18:26:40 +0200, Daniel Janus daniel@sentivision.com wrote:
The current version of Drakma contains a check of cookie domains' validity. A (textual) domain is considered to be valid iff either it contains a dot or is exactly "localhost". I'm sure there is a reason for this (perhaps some part of a relevant RFC?), but I got bitten by it in a real-world scenario. I was using Drakma for testing of a Java EE-based web application at my company, accessible at the internal address "http://someserver:9090/gui/app".
I wouldn't call this "real-world" as in the real "real world" domain names without a dot don't exist... :)
But, yes, this is obviously useful for in-house testing.
I quickly hacked up a patch (attached) to Drakma which adds a special variable *ALLOW-DOTLESS-COOKIE-DOMAINS-P*, which, when set to non-NIL, causes the domains like SOMESERVER to be accepted.
Might it be useful to include in the official distribution?
Looks fine to me except that it's lacking the HTML documentation patch.
Could you add this and send a diff against the current dev version?
http://bknr.net/trac/browser/trunk/thirdparty/drakma
Thanks a lot, Edi.
Dnia 2008-07-16, śro o godzinie 09:29 +0200, Edi Weitz pisze:
Looks fine to me except that it's lacking the HTML documentation patch.
Whoops, I'm sorry. I omitted it, thinking that DOCUMENTATION-TEMPLATE would somehow automatically include the doc for new variable. Do you maintain the Drakma doc by hand?
In any case, the attached patch is a second attempt. I changed the docstring of *ALLOW-DOTLESS-COOKIE-DOMAINS-P* to be a little more elaborate and moved its definition to specials.lisp. Is that OK?
On Wed, 16 Jul 2008 11:11:32 +0200, Daniel Janus daniel@sentivision.com wrote:
Whoops, I'm sorry. I omitted it, thinking that DOCUMENTATION-TEMPLATE would somehow automatically include the doc for new variable. Do you maintain the Drakma doc by hand?
Yes, unfortunately. DOCUMENTATION-TEMPLATE is currently only used to generate the initial page, but updates are done manually. I'm working on automating this process, but it's one of my projects that's laying dormant due to lack of time... :(
In any case, the attached patch is a second attempt. I changed the docstring of *ALLOW-DOTLESS-COOKIE-DOMAINS-P* to be a little more elaborate and moved its definition to specials.lisp. Is that OK?
Thanks, I'll add this to the dev version.
-
Daniel Janus -
Edi Weitz