[Zope3-dev] cookies in zope 3
Steve Alexander
steve@cat-box.net
Sat, 15 Mar 2003 22:03:50 +0200
I'm looking into a problem where on particular installation of MS
Internet Explorer on Windows XP is not accepting cookies from my Zope 3
application. As part of this, I've been looking in general into cookies
in Zope 3.
Here's an example of the Set-Cookie HTTP header being produced by the
cookie session service:
Set-Cookie:
zope3-cs-2d4d161="JSBixydDT3l4rt5QQ7e2Fi1sj10qwJXgnFBv4AADnqGVEBBGLqXsYE";
Path=/; Expires=Sat, 15 Mar 2003 19:50:27 GMT
I've been reading RFC 2109, and I've noticed a few things:
1: The date format for 'Expires' should be Wdy, DD-Mon-YY HH:MM:SS GMT
rather than Wdy, DD Mon YYYY HH:MM:SS GMT
2: The 'Max-Age' header should be used in preference to the 'Expires'
header. An appropriate 'Expires' header should still produced for
backwards compatibility with Netscape's original proposal.
3: A 'Version' header is required if you're sending RFC compliant cookies.
The apache cocoon Cookie interface sends version 0 cookies by default,
and sends version 1 cookies if you ask it to. The rationale for this is
to achieve the best range of interoperability.
The cocoon Cookie interface does not allow directly setting the
deprecated 'Expires' header. Rather, it allows setting the maximum age
of a cookie, and takes responsibility for producing an appropriate
'Expires' header.
http://xml.apache.org/cocoon/apidocs/org/apache/cocoon/environment/Cookie.html
The cocoon API is more abstract than the Zope 3 cookie API.
I prefer the more abstract API, as it relieves the user of the API from
worrying about whether the cookies comply with the RFC. That is, I think
the framework should take as much responsibility as possible for making
cookies interoperable and compliant with standards.
Zope 3 does a lot of this already, but it doesn't do anything special
about managing the version of the protocol it is using, and making sure
that 'Max-age' and 'Expires' headers are present together, and agree
with each other. Zope 3 also does not check that values contain only
allowed characters.
I think the Zope 3 cookie API should understand what version of the
cookie protocol it is using, and should take care of the things I listed
above.
Any comments?
--
Steve Alexander