[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] Tr: Re: [infrastructure] [Cookie problem ?] Can't log in
Re: [Lynx-dev] Tr: Re: [infrastructure] [Cookie problem ?] Can't log in to drupal.org
Mon, 6 Jun 2011 19:46:42 -0400 (EDT)
On Mon, 6 Jun 2011, Shérab wrote:
Hello again Thomas and all,
I am forwarding two answers I got from the infrastructure mailing list
in charge of Drupal.org.
According to these answers, the problem might have more to do with
domain than with path attribute of cookies...
But anyway it's good to know there will ultimately be a solution...
----- Forwarded message from Damien Tournoud <address@hidden> -----
From: Damien Tournoud <address@hidden>
Subject: Re: [infrastructure] [Cookie problem ?] Can't log in to drupal.org
Date: Sun, 5 Jun 2011 17:11:16 +0200
To: "Drupal.org Infrastructure Maintainers" <address@hidden>,
This is a well-known issue in Lynx. Lynx is known to implement the
original Cookie RFC (RFC 2109) correctly; it is probably also the only
browser that does.
It would be nice to have some pointer to the source of "well-known", etc.,
since google isn't being helpful, either.
According to RFC 2109, the domain part of Set-Cookie *MUST* begin with
a dot, and "example.com" is not a "domain-match" for
".example.com". As a consequence, cookies set for ".drupal.org"
do not apply to "drupal.org". This (arguably silly) requirement has
never been implemented by mainstream browsers and is now officially
reverted by the newer RFC 6265.
on the other hand, no one had reported this detail as a bug report on
(More precisely,Â RFC 6265 mandates that browsers should ignore a
leading "." in the Domain attribute if sent by the server. See section
5.2.3. This is an extension of the behavior currently implemented in
most browsers, and makes it impossible to have cookies that apply to
example.com, but not x.example.com.)
RFC 6265 was published in April 2011, obsoleting
RFC 2965, which was published in October 2000, in turn obsoleting
RFC 2109, which was published in February 1997.
I was aware of 2965 of course, but don't recall anything in _that_
which affected the domain-matching rules. I'll read the latest iteration.
Thomas E. Dickey