#8 Wrong cookie headers for cookie version?

[Anonymous]

This isn't actually causing any trouble that I've seen,
especially not with session cookies, but it looks like it's
wrong nonetheless.

The javadoc for the javax.servlet.http.Cookie class and
other docs I have found say that version numbering of
cookies is like this:

0 - original Netscape specification ("Set-Cookie")
1 - RFC2109 ("Set-Cookie")
2 - RFC2965 ("Set-Cookie2")

but Winstone does this:

1 - "Set-Cookie2"
everything else - "Set-Cookie"

You are probably getting away with it if version 2 is a
superset of version 1, and browsers understand both.
For the session cookie, you use version 0, and apart from
the erroneous "Discard" I reported elsewhere, you don't
write out anything that wasn't in the Netscape spec, so
that would end up OK.

Alan (Xarquol at aol.com)

[Rick Knowles]

Logged In: YES
user_id=716353

Thanks - this is an interesting point. I had been kinda
changing things back and forth a bit on the cookie headers,
since Ikept running into strange little weirdnesses where
browsers didn't follow what I thought the spec was. As it
turns out, they might well have been, cause I didn't even
realise there was a cookie type 2 (only 0 and 1, I thought).

This would explain the previous bug you lodged as well ...
will take a lot at these today.

Thanks again for your help - it's great having someone give
winstone a real flogging like this. It needed it badly.

Rick

[Rick Knowles]

Logged In: YES
user_id=716353

OK fixed in CVS - thanks again.

I haven't really had the time or resources to test this
under different browsers etc, but my cursory test under
firefox worked fine. Please let me know if you observe any
weirdnesses.

[Nobody/Anonymous]

Logged In: NO

Oops. I didn't read RFC2965 properly. It obsoleted RFC2109
rather than being a new thing. I think there will be version
2 cookies one day, but not yet. This means that I believe
that your original code was correct, apart from the
erroneous "Discard". You probably ought to back out the
change you made for this "bug". I can't get at the SF CVS
repository at the moment to see what you've done. Hopefully
you didn't make too many changes.

Presumably, they went with the Set-Cookie2 thing for version
1 cookies in order to completely disambiguate them with the
Netscape version 0 cookies, but I've no idea if browsers
today pay attention to RFC2109 or RFC2965. You'd hope it's
the latter, but given that even the J2EE 1.4 docs warn that
RFC2109 is new risky thing, who knows?

Sorry for the confusion!

Alan (Xarquol at aol.com)

[Rick Knowles]

Logged In: YES
user_id=716353

OK - I'll take your word on that, since I can't find as much
info as you seem to have. I've left most of the changes from
saturday in, since 2 is not a legal value of setVersion()
anyway. I just made the header name Set-Cookie2 for
version 1, instead of Set-Cookie otherwise no change.

Please let me know if all this is ok in your wget environment.
Thanks