Can someone please point me to the Firefox source code where Set-Cookie header is parsed? I want to understand the exact behavior.
Read further if you want to know why?
For various constraint in my application, I need to pass multiple cookies inside single Set-Cookie header. RFC-2109 clearly mentions,
"Set-Cookie response header comprises the token Set-Cookie:, followed by a comma-separated list of one or more cookies. Each cookie begins with a NAME=VALUE pair, followed by zero or more semi-colon-separated attribute-value pairs."
So I should be able to pass following Set-Cookie header
Set-Cookie: name1=value1; attr11=attrval11; attr12=attrval12,name2=value2; attr21=attrval21; attr22=attrval22;
It doesn't work. However, following does work
Set-Cookie: name1=value1, name2=value2; attr1=attrval1; attr2=attrval2;
And, I want to give different attributes for different cookies.
[Update]
Real Examples:
Example#1-
Set-Cookie: cookie1=value1; Path=/,cookie2=value2; Path=/
In this case firefox parses and gets first cookie(whose name is "cookie1" and value is "value1") out of it(second one is completely ignored)
Example#2-
Set-Cookie: cookie1=value1,cookie2=value2; Path=/
In this case firefox believes there is one cookie whose name is "cookie1" and value is "value1,cookie2=value2". This, again, is not what was intended.
A quick walk through MXR indicates the main logic is in nsCookieService::SetCookieInternal. You can follow the links back and forth as needed. As far as your actual problem, it may help if you give a real example header.
My understanding is that browsers implement the standard somewhat differently in respect to multiple cookies per Set-Cookie header. However, you can send multiple Set-Cookie headers to set the value of multiple cookies:
Set-Cookie: name1=value1; attr11=attrval11; attr12=attrval12
Set-Cookie: name2=value2; attr21=attrval21; attr22=attrval22
Although is there any reason why you're manually headers to the response instead of using whatever your framework (PHP, ASP.NET, RoR, etc) provides?
well, reading from the source code its clear that firefox doesn't implement RFC-2109 in this regard and uses CR or LF instead of ',' as cookie separator(notice line#1934, 1959, 1990 in http://mxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp). I tried both on Firefox v3.6.6, CR is working but LF is not.
Conclusion: on Firefox, I can use CR instead of ',' to separate cookies.
Glitch : None out of (CR, LF, ',') are working on Internet-Explorer. Now can someone point me to "source" code for IE where I can see what they're using as cookie separator :-)
Related
I have an application using Spring Boot where I set a HttpOnly cookie. In the browser I can inspect it and see that it's well set as HttpOnly. With this I avoid the client side from using javascript on it.
But, do I have to do anything on the server side when reading the cookie? As far as I understand, I cannot use javascript to read the cookie but I can still create a non HttpOnly cookie with the same name and value as the HttpOnly one just using a browser plugin. On the server side, wouldn't I need to verify the cookie and whether it's HttpOnly?
I've tried doing that by just getting the list of cookies from the request but it seems all of them have the different fields set to a default value. The only fields I can read are the name and the value of the cookie.
Is this the expected behaviour?
This is, indeed, the specified behaviour.
The Set-Cookie Header transmits information like HttpOnly to a client. But a call from the client to the server uses the Cookie header, which only includes cookie names and values (but no further information). Therefore, the server cannot derive this information from the Cookie header alone. It is simply not there.
This is specified in RFC 6265 „HTTP State Management Mechanism“ in Section 5.4 „The Cookie Header“:
4. Serialize the cookie-list into a cookie-string by processing each
cookie in the cookie-list in order:
1. Output the cookie's name, the %x3D ("=") character, and the
cookie's value.
2. If there is an unprocessed cookie in the cookie-list, output
the characters %x3B and %x20 ("; ").
Since the information is missing, it is often set to a default value.
I am looking for a clean/simple way in HtmlUnit to request a webpage from a server in a specific language.
To do this i have been trying to request "bankofamerica.com" for their homepage in spanish instead of english.
This is what i have done so far:
I tried to set "Accept-Language" header to "es" in the Http request. I did this using:
myWebClient.addRequestHeader("Accept-Language" , "es");
It did not work. I then created a web request with the following code:
URL myUrl = new URL("https://www.bankofamerica.com/");
WebRequest myRequest = new WebRequest(myUrl);
myRequest.setAdditionalHeader("Accept-Language", "es");
HtmlPage aPage = myWebClient.getPage(myRequest);
Since this failed too i printed out the request object for this url , to check if these headers are being set.
[<url="https://www.bankofamerica.com/", GET, EncodingType[name=application/x-www-form-urlencoded], [], {Accept-Language=es, Accept-Encoding=gzip, deflate, Accept=*/*}, null>]
So the server is being requested for a spanish page but in response its sending the homepage in english (the response header has the value of Content-Language set to en-US)
I did find a hack to retrieve the BOA page in spanish. I visited this page and used the chrome developer tool to get the cookie value from the request
header. I used this value to do the following:
myRequest.setAdditionalHeader("Cookie", "TLTSID= ........._LOCALE_COOKIE=es-US; CONTEXT=es_US; INTL_LANG=es_US; LANG_COOKIE=es_US; hp_pf_anon=anon=((ct=+||st=+||fn=+||zc=+||lang=es_US));..........1870903; throttle_value=43");
I am guessing the answer lies somewhere here.
Here lies my next question. If i am writing a script to retrieve 100 different websites in Spanish (ie Assuming they all have their pages in the spanish) . Is there a clean way in HtmlUnit to accomplish this.
(If cookies is indeed a solution then to create them in htmlunit you need to specify the domain name. One would have to then create cookies for each of the 100 sites. As far as i know there is no way in HtmlUnit to do something like:
Cookie langCookie = new Cookie("All Domains","LANG_COOKIE","es_US");
myWebClient.getCookieManager().addCookie(langCookie);)
NOTE: I am using HtmlUnit 2.12 and setting BrowserVersion.CHROME in the webclient
Thanks.
Regarding your first concern the clear/simple(/only?) way of requesting a webpage in a particular language is, as you said, to set the HTTP Accept-Language request header to the locale(s) you want. That is it.
Now the fact that you request a page in a particular language doesn't mean that you will actually get a page in that language. The server has to be set up to process that HTTP header and respond accordingly. Even if a site has a whole section in spanish it doesn't mean that the site is responding to the HTTP header.
A clear example of this is the page you provided. I performed a quick test on it and found that it is clearly not responding accordingly to the Accept-Language I've set (which was es). Hitting the home page using es resulted in getting results in english. However, the page has a link that states En Español which means In Spanish the page does switch to spanish and you get redirected to https://www.bankofamerica.com?request_locale=es_US.
So you might be tempted to think that the page handles the locale by a request parameter. However, that is not (only) the case. Because if you then open the home page again (without the locale parameter) you will see the Spanish version again. That is clearly a proof that they are being stored somewhere else, most likely in the session, which will most likely be handled by cookies.
That can easily be confirmed by opening a private session or clearing the cookies and confirming this behaviour (I've just done that).
I think that explains the mystery of the webpage existing in Spanish but being fetched in English. (Note how most bank webpages do not conform to basic standards such as responding to simple HTTP requests... and they are handling our money!)
Regarding your second question, it would be like asking What is the recipe to not get ill ever?. It just doesn't depend on you. Also note that your first concerned used the word request while your second concern used the word retrieve. I think it should be clear by now that you can only be 100% sure of what you request but not of what you retrieve.
Regarding setting a value in a cookie manually, that is technically possible. However, that is just like adding another parameter in a get request: http://domain.com?login=yes. The parameter will only be processed by the server if it is expecting it. Otherwise, it will be ignored. That is what will happen to the value in your cookie.
Summary: There are standards to follow. You can try to use them but if the one in the other side doesn't then you won't get the results you expect. Your best choice: do your best and follow the standards.
May i know the use of response.addHeader when we already have response.setContentType in java...
I m unable find proper solution.
<% response.addHeader("Content-Disposition","attachment;filename=Report.xls"); %>
<% response.setContentType("application/vnd.ms-excel"); %>
Here the above second statement is enough to get response as excel format.
which scenario i need to use response.addHeader ?
please ...
This particular header :
"Content-Disposition","attachment;filename=Report.xls"
tells the browser to download the file as an attachment with default name Report.xls.
Also check the HTTP/1.1 specs
The Content-Disposition response-header field has been proposed as a
means for the origin server to suggest a default filename if the user
requests that the content is saved to a file.
An example is
Content-Disposition: attachment; filename="fname.ext"
The receiving user agent SHOULD NOT respect any directory path
information present in the filename-parm parameter, which is the only
parameter believed to apply to HTTP implementations at this time. The
filename SHOULD be treated as a terminal component only.
If this header is used in a response with the application/octet-
stream content-type, the implied suggestion is that the user agent
should not display the response, but directly enter a `save response
as...' dialog.
Remember though , HTTP/1.1 defines the Content-Disposition response header field, but points out that it is not part of the HTTP/1.1 Standard.
IMHO , don't use JSP to do the downloading stuff , use a Servlet instead !
I don't write in Java, but I know there are many sharing the same feature.
And IMO it's just a shortcut.
BTW, there are so many headers... Not just Content-Type or something like that.
I am having an issue with ajax caching, This was a problem in IE browser too but i fixed it by Writing the Following code.
response.setHeader("Cache-Control", "no-cache");
response.setHeader("expires","-1");
response.setHeader("pragma","no-cache");
But I see Safari4.0 on MAC is Caching the Ajax request(We have a requirment to support this). Fire Fox never a problem. Regarding this "Expire" i am setting it to -1, i see lot of places it is set 0 or some old date from past. Will it make a difference?
Send an extra parameter with your GET request that will never be the same, for example, the current timestamp. Something like:
url = url + '&nocache=' + new Date().getTime();
This will prevent caching.
First, a note on your Expires header. Your question doesn't specify what server framework you're using, so I'm not sure if this is applicable. However, it looks like you might be sending an invalid Expires header.
The RFC requires Expires to be a date, however you appear to be setting the header to a literal "-1". There are many frameworks that have an expires property on their HTTP response object that takes an int and automatically calculates a date that is that number of seconds from now.
Use a HTTP inspector to ensure that your server is sending a validly formatted date and not -1 in the Expires header.
You might try making your Cache-Control header more restrictive:
response.setHeader("Cache-Control", "private, no-cache, no-store, must-revalidate");
must-revalidate tells caches that they must obey any freshness information you give them. HTTP allows caches to serve stale representations under special conditions; by specifying this header, you’re telling the cache that you want it to strictly follow your rules. [1]
According to RFC 2616 section 9.5 about POST
Responses to this method are not cacheable, unless the response
includes appropriate Cache-Control or Expires header fields. However,
the 303 (See Other) response can be used to direct the user agent to
retrieve a cacheable resource.
So, the browser must not cache POST responses, unless the response specifies otherwise. In the same time, browsers may cache GET responses, unless the response specifies otherwise. So, for the requests that should not be cached, such as AJAX requests, POST is preferrable method.
If you, for any reason, don't want to use POSTs for AJAX, you should use the trick mentioned by minitech, it is in fact widely used to force browser to load current version of any resource.
http://www.hccp.org/java-net-cookie-how-to.html
According to this link I was trying to create cookie and send cookie to enter in a cookie site. But it is not working. Is there is any problem in that. I have some confusion on the method setRequestProperty of URLConnection. I don't understand what are they trying to send by passing "Cookie"? Is it only a string or name or value??
urlConn.setRequestProperty("Cookie", myCookie);
"Cookie" in this case is a way to tell the setRequestProperty method that the argument (which is really just a String) should be treated as a cookie.
setRequestProperty may be more useful for many kinds of properties, but addRequestProperty would be more useful for cookies, because you can have multiple cookies per request. The properties are specified in RFC 2068 -- read especially section 14.