[ZCM] [ZC] 569/ 3 Comment "Zope cookies unconditionally quoted"

[Collector: Zope Bugs, Features, and Patches ...]

Issue #569 Update (Comment) "Zope cookies unconditionally quoted"
 Status Pending, Zope/bug medium
To followup, visit:
  http://collector.zope.org/Zope/569

==============================================================
= Comment - Entry #3 by reiman on Feb 25, 2003 5:04 pm

As the original poster, let me clarify why this is a problem. It has nothing to do with specs or free quoting. The problem is cookies are used across technologies: My Zope set cookies will be read by javascript and/or apache servers and god-knows-what else. Ramming quotes around them (indeed, any magic wrapping) makes zope cookies incompatible with 3rd party technologies. Zope might like to pretend it lives in a vacuum but my cookies certainly don't.

There is a work around at least. It is also too late to fix this as it would break existing cookies. I feel the existing behavior probably should remain but it needs to be documented and the setHeader workaround should be mentioned in the same place.

________________________________________
= Comment - Entry #2 by leper on Nov 19, 2002 9:05 am

Its a little unclear why this is a bug, so I'll expound upon it some.

The quotes are added in the _cookie_list() function from
ZPublisher/HTTPResponse.py.  The quotes themselves aren't a bug,
quoted strings are allowed if we are to believe RFC 2965 or 2109
(although not all bother to do so), nor do they interfere with the
infamously half-assed Nestcape Cookie specification.  The problem is
that adding quotes without doing any further encoding on the cookie
value is a worthless gesture, and no further encoding is done, values
are passed completely raw.

Passing everything raw, leaving the setCookie methods a somewhat thin
conceptual wrapper around setHeader, means that author must do their
own encoding and decoding to ensure semicolons (and other special
characters) in the cookie value are properly translated.  Adding
quotes the way ZPublisher does also means the author be must aware of
this and be sure to include quotes in list of 'special characters'
that require encoding, otherwise the regex in HTTPRequest.py is sure
to mangle that cookie if the browser doesn't.  That the API
documentation doesn't mention any of this is rather suboptimal if
authors are expected to write robust code.

It could be said that if the author must already do all this work
preparing their data for transport, then there really isn't much merit
in giving them the quotes for "free."  Alternatively setCookie could
generate a just header thats valid automatically without the author
having to do the hard part.  Figuring out what 'valid' is these days,
given the rather sizable gap between the published standards and
current practices, should be entertaining.

Suffice it to say the cookie hooks and the documentation need work.

________________________________________
= Request - Entry #1 by Anonymous User on Sep 13, 2002 6:39 pm

Setting a cookie value via (adapt for your site...)

<dtml-call "RESPONSE.setCookie('cookie_name', 'value', expires='Wed, 19 Feb 2020 14:28:00 GMT', path='/', domain='kefta.com')">

will set a cookie, but the value will have double quotes around it. Zope appears to strip these quotes on retrieval so they are not visible from zope, but other severs in the same domain will see them, as well as mozilla's cookie manager.

No work around known, except for Javascript or setting cookies via a different server.

==============================================================