[Zope3-dev] cookies in zope 3

Steve Alexander steve@cat-box.net
Sat, 15 Mar 2003 22:03:50 +0200 

I'm looking into a problem where on particular installation of MS 
Internet Explorer on Windows XP is not accepting cookies from my Zope 3 
application. As part of this, I've been looking in general into cookies 
in Zope 3.

Here's an example of the Set-Cookie HTTP header being produced by the 
cookie session service:

Set-Cookie: 
zope3-cs-2d4d161="JSBixydDT3l4rt5QQ7e2Fi1sj10qwJXgnFBv4AADnqGVEBBGLqXsYE"; 
Path=/; Expires=Sat, 15 Mar 2003 19:50:27 GMT

I've been reading RFC 2109, and I've noticed a few things:

1: The date format for 'Expires' should be  Wdy, DD-Mon-YY HH:MM:SS GMT 
rather than  Wdy, DD Mon YYYY HH:MM:SS GMT

2: The 'Max-Age' header should be used in preference to the 'Expires' 
header. An appropriate 'Expires' header should still produced for 
backwards compatibility with Netscape's original proposal.

3: A 'Version' header is required if you're sending RFC compliant cookies.


The apache cocoon Cookie interface sends version 0 cookies by default, 
and sends version 1 cookies if you ask it to. The rationale for this is 
to achieve the best range of interoperability.

The cocoon Cookie interface does not allow directly setting the 
deprecated 'Expires' header. Rather, it allows setting the maximum age 
of a cookie, and takes responsibility for producing an appropriate 
'Expires' header.

http://xml.apache.org/cocoon/apidocs/org/apache/cocoon/environment/Cookie.html

The cocoon API is more abstract than the Zope 3 cookie API.
I prefer the more abstract API, as it relieves the user of the API from 
worrying about whether the cookies comply with the RFC. That is, I think 
the framework should take as much responsibility as possible for making 
cookies interoperable and compliant with standards.

Zope 3 does a lot of this already, but it doesn't do anything special 
about managing the version of the protocol it is using, and making sure 
that 'Max-age' and 'Expires' headers are present together, and agree 
with each other. Zope 3 also does not check that values contain only 
allowed characters.

I think the Zope 3 cookie API should understand what version of the 
cookie protocol it is using, and should take care of the things I listed 
above.


Any comments?

--
Steve Alexander