List Info

Thread: Silently rejecting '.domain.tld' cookies from http://domain.tld
Silently rejecting '.domain.tld' cookies from http://domain.tld
country flaguser name
United Kingdom		 2008-04-26 08:36:44 
(I looked throught the mailing list archives but I can't see
anything
about this, most of the discussion seems to be about cookie
paths
rather than domains)

I noticed this trying to log in to https://launchpad.net/
with 2.8.7dev.8
(and older versions). The server tries to set a cookie, but
lynx
discards it silently. The server sends:

Set-Cookie: ... Domain=.launchpad.net; ...

the trace shows:

/tmp/lynx2-8-7/src/LYCookie.c: 442: store_cookie: Rejecting
domain '.launchpad.net' for host 'launchpad.net'.

I understand that a host name 'domain.tld' can only set
cookies for
itself (unlike 'www.domain.tld'), however shouldn't lynx ask
the user
rather than discarding the cookies silently?

I made a patch to accept the invalid cookie in the special
case of
domain.tld setting a cookie for .domain.tld - so I could log
in to
the site. It doesn't tell the user that the cookie is
invalid, it
just gives the normal "Allow? (Y/N/Always/neVer)"
prompt. If people
think that this is acceptable, the patch is below.

C

--- src/LYCookie.c-orig	2008-04-26 10:08:09.000000000 +0100
+++ src/LYCookie.c	2008-04-26 11:05:15.000000000 +0100
 -226,6
+226,17 
 	    if (!strcasecomp((A + diff), B))
 		return YES;
 	}
+
+	/*
+	 * a site "domain.tld" wishing to provide
cookies for ".domain.tld"
+	 * will not be matched by the above; the problem happens
for example
+	 * when one tries to login to launchpad.net; the cookie
spec is
+	 * unclear about this special case
+	 */
+	if (diff == -1) {
+	    if (!strcasecomp(A, (B - diff)))
+		return YES;
+	}
     }
     return NO;
 }
 -678,7
+689,9 
 	next = hl->next;
 
 	if ((co) &&		/* speed-up host_matches() and limit
trace output */
-	    (LYstrstr(hostname, co->domain) != NULL)) {
+	    (LYstrstr(hostname, co->domain) != NULL ||
+	     /* special case, see note in host_matches() */
+	     (co->domain[0] == '.' &&
strcasecmp(hostname, co->domain+1) == 0))) {
 	    CTrace((tfp, "Checking cookie %p %s=%sn",
 		    hl,
 		    (co->name ? co->name : "(no name)"),


_______________________________________________
Lynx-dev mailing list
Lynx-devnongnu.org
htt
p://lists.nongnu.org/mailman/listinfo/lynx-dev
Re: Silently rejecting '.domain.tld' cookies from http://domain.tld
country flaguser name
United States		 2008-04-26 10:03:02 
On Sat, 26 Apr 2008, Claudio Calvelli wrote:

> I understand that a host name 'domain.tld' can only set
cookies for
> itself (unlike 'www.domain.tld'), however shouldn't
lynx ask the user
> rather than discarding the cookies silently?

probably (unless it's configurable in some other way).

thanks

-- 
Thomas E. Dickey
http://invisible-island.n
et
ftp://invisible-island.net


_______________________________________________
Lynx-dev mailing list
Lynx-devnongnu.org
htt
p://lists.nongnu.org/mailman/listinfo/lynx-dev
Re: Silently rejecting '.domain.tld' cookies from http://domain.tld
country flaguser name
United States		 2008-04-26 17:17:13 
On Sat, 26 Apr 2008, Claudio Calvelli wrote:

> I noticed this trying to log in to https://launchpad.net/
with 2.8.7dev.8
> (and older versions). The server tries to set a cookie,
but lynx
> discards it silently. The server sends:
> 
> Set-Cookie: ... Domain=.launchpad.net; ...
> 
> the trace shows:
> 
> /tmp/lynx2-8-7/src/LYCookie.c: 442: store_cookie:
Rejecting domain '.launchpad.net' for host 'launchpad.net'.

Please check your lynx.cfg file. It sounds as if you have
"COOKIE_STRICT_INVALID_DOMAINS" set. You probably
want
"COOKIE_LOOSE_INVALID_DOMAINS" or
"COOKIE_QUERY_INVALID_DOMAINS".

                      Doug

-- 
Doug Kaufman
Internet: dkaufmanrahul.net



_______________________________________________
Lynx-dev mailing list
Lynx-devnongnu.org
htt
p://lists.nongnu.org/mailman/listinfo/lynx-dev
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )