Comments on: Reserved names for cookies http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/ Jochem's tech exploits Sun, 14 Mar 2010 06:46:05 +0000 http://wordpress.org/?v=2.7 hourly 1 By: Brad Wood http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/comment-page-1/#comment-28 Brad Wood Tue, 15 Jul 2008 06:16:29 +0000 http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/#comment-28 Here's my latest solution to this problem. So far it works locally on my machine. http://www.codersrevolution.com/index.cfm/2008/7/15/No-Cookie-For-You-Second-Solution Here’s my latest solution to this problem. So far it works locally on my machine.

http://www.codersrevolution.com/index.cfm/2008/7/15/No-Cookie-For-You-Second-Solution

]]> By: Brad Wood http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/comment-page-1/#comment-27 Brad Wood Sat, 12 Jul 2008 09:00:04 +0000 http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/#comment-27 Here is the servlet filter to remove cookies: http://www.codersrevolution.com/index.cfm/2008/7/11/Java-Servlet-Filters-Part-2-Removing-Cookies That didn't solve the problem, and this is what I found: http://www.codersrevolution.com/index.cfm/2008/7/11/Cookie-Reserved-Names-Whos-to-blame Here is the servlet filter to remove cookies:
http://www.codersrevolution.com/index.cfm/2008/7/11/Java-Servlet-Filters-Part-2-Removing-Cookies

That didn’t solve the problem, and this is what I found:
http://www.codersrevolution.com/index.cfm/2008/7/11/Cookie-Reserved-Names-Whos-to-blame

]]> By: Brad Wood http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/comment-page-1/#comment-26 Brad Wood Sat, 12 Jul 2008 04:50:43 +0000 http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/#comment-26 Jochem, I'm in the process of blogging my finds now, but the short story is I successfully wrote a servlet filter to remove cookies from the httpServletRequest object before ColdFusion got it, but it didn't work becuase JRUN is where the cookies get parsed and the log files are appended BEFORE any servlet filters are run. I tracked it down to the javax.servlet.http.Cookie class (which is thankfully open source) and sure enough, an IllegalArgumentException error is thrown when the cookie name is a in a list of reserved names. Check out the code at http://kickjava.com/src/javax/servlet/http/Cookie.java.htm. The best Adobe could do would be to not log errors returned by the Cookie class constructor. In the mean time, I posted this question to the Sun Java forum to see if anyone could provide some history. http://forum.java.sun.com/thread.jspa?threadID=5313146 ~Brad Jochem, I’m in the process of blogging my finds now, but the short story is I successfully wrote a servlet filter to remove cookies from the httpServletRequest object before ColdFusion got it, but it didn’t work becuase JRUN is where the cookies get parsed and the log files are appended BEFORE any servlet filters are run. I tracked it down to the javax.servlet.http.Cookie class (which is thankfully open source) and sure enough, an IllegalArgumentException error is thrown when the cookie name is a in a list of reserved names. Check out the code at http://kickjava.com/src/javax/servlet/http/Cookie.java.htm.

The best Adobe could do would be to not log errors returned by the Cookie class constructor. In the mean time, I posted this question to the Sun Java forum to see if anyone could provide some history. http://forum.java.sun.com/thread.jspa?threadID=5313146

~Brad

]]> By: Jochem http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/comment-page-1/#comment-25 Jochem Fri, 11 Jul 2008 08:19:54 +0000 http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/#comment-25 I filed an enhancement request with Adobe with the following text: <blockquote>Ignore logging of "domain", "expires" etc. cookies When CF (JRun?) receives a request with cookies named "domain", "expires" etc. it logs an error in *-event.log. This needlessly clutters the logfile with something that isn't really an error (the Netscape cookie proposal, RFC 2109 and RFC 2695 all allow those cookie names). Please allow us to switch off logging of these cookies (and disable this logging by default).</blockquote> I filed an enhancement request with Adobe with the following text:

Ignore logging of “domain”, “expires” etc. cookies

When CF (JRun?) receives a request with cookies named “domain”, “expires” etc. it logs an error in *-event.log. This needlessly clutters the logfile with something that isn’t really an error (the Netscape cookie proposal, RFC 2109 and RFC 2695 all allow those cookie names). Please allow us to switch off logging of these cookies (and disable this logging by default).

]]> By: Brad Wood http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/comment-page-1/#comment-24 Brad Wood Wed, 09 Jul 2008 20:02:08 +0000 http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/#comment-24 Dang it Charlie, now you've turned me on to servlet filters! :) I've always known what they did, but never considered trying to write one. I think I'm gonna' try to make a filter to get rid of certain cookies like you said-- if for nothing else than to see how it would work. I'll blog it if I can figure it out. ~Brad Dang it Charlie, now you’ve turned me on to servlet filters! :) I’ve always known what they did, but never considered trying to write one. I think I’m gonna’ try to make a filter to get rid of certain cookies like you said– if for nothing else than to see how it would work. I’ll blog it if I can figure it out.

~Brad

]]> By: Jochem http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/comment-page-1/#comment-23 Jochem Wed, 09 Jul 2008 07:55:24 +0000 http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/#comment-23 My best theory is there is a user-agent out there that does incorrect parsing of Set-Cookie headers and assumes any name=value pair is a cookie, instead of just the first being the cookie and the others attributes. If that happens to be some sort of spider (or in your case perhaps a linkchecker from a wiki / CMS) that is an error that has very little impact on the results and thus a small chance of detection. And now you are not using any cookies at all they aren't parsed incorrectly anymore and you don't get the error in your logfiles anymore. My best theory is there is a user-agent out there that does incorrect parsing of Set-Cookie headers and assumes any name=value pair is a cookie, instead of just the first being the cookie and the others attributes. If that happens to be some sort of spider (or in your case perhaps a linkchecker from a wiki / CMS) that is an error that has very little impact on the results and thus a small chance of detection. And now you are not using any cookies at all they aren’t parsed incorrectly anymore and you don’t get the error in your logfiles anymore.

]]> By: Terry Palmer http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/comment-page-1/#comment-20 Terry Palmer Mon, 07 Jul 2008 15:21:32 +0000 http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/#comment-20 Nice work Jochem. Seems my lack of knowledge of IIS log files led me to the wrong conclusion on "No Cookies For You". The CS vs SC distinction does make sense now. There is still a point of confusion on my part though. Since setting "setclientcookies=false" in the cfapplication tag, we have no longer seen the "error Cannot create cookie:" errors in our logs. Do you have any insight as to why my fix would work for "blocking" reserved word cookies as it seems? Nice work Jochem. Seems my lack of knowledge of IIS log files led me to the wrong conclusion on “No Cookies For You”. The CS vs SC distinction does make sense now. There is still a point of confusion on my part though. Since setting “setclientcookies=false” in the cfapplication tag, we have no longer seen the “error Cannot create cookie:” errors in our logs. Do you have any insight as to why my fix would work for “blocking” reserved word cookies as it seems?

]]> By: charlie arehart http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/comment-page-1/#comment-18 charlie arehart Fri, 04 Jul 2008 00:34:11 +0000 http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/#comment-18 Great investigative work, Jochem. Thanks so much for sharing this. As for how to solve it, while we might await Adobe coming up with a solution, another thing we could do is have someone write a Java Servlet filter that looks for cookies with these names and drops them from the request before it's passed on to CF. Wouldn't be too hard. If anyone's interested, you can find out more about servlet Filters (and their use with CF) in a Feb 2003 CFDJ article I did, "Fun with Filters", at http://cfdj.sys-con.com/read/41574_p.htm. Great investigative work, Jochem. Thanks so much for sharing this. As for how to solve it, while we might await Adobe coming up with a solution, another thing we could do is have someone write a Java Servlet filter that looks for cookies with these names and drops them from the request before it’s passed on to CF. Wouldn’t be too hard.

If anyone’s interested, you can find out more about servlet Filters (and their use with CF) in a Feb 2003 CFDJ article I did, “Fun with Filters”, at http://cfdj.sys-con.com/read/41574_p.htm.

]]> By: Jochem http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/comment-page-1/#comment-17 Jochem Thu, 03 Jul 2008 18:57:11 +0000 http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/#comment-17 Obviously somebody is hitting your server with bad cookies: you never set them so he shouldn't send them. But looking at the three different specifications we have for cookies (the <a href="http://web.archive.org/web/19990427030253/http://www.netscape.com/newsref/std/cookie_spec.html" rel="nofollow">Netscape cookie proposal</a>, <a href="ftp://ftp.rfc-editor.org/in-notes/rfc2109.txt" rel="nofollow">RFC 2109</a> and <a href="ftp://ftp.rfc-editor.org/in-notes/rfc2695.txt" rel="nofollow">RFC 2695</a>) there is no reason why these cookie names should be reserved in ColdFusion. The name=value pair is always the first pair of a Set-Cookie header so there is no need for disambiguation. Obviously somebody is hitting your server with bad cookies: you never set them so he shouldn’t send them.

But looking at the three different specifications we have for cookies (the Netscape cookie proposal, RFC 2109 and RFC 2695) there is no reason why these cookie names should be reserved in ColdFusion. The name=value pair is always the first pair of a Set-Cookie header so there is no need for disambiguation.

]]> By: mark kruger http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/comment-page-1/#comment-16 mark kruger Thu, 03 Jul 2008 18:43:35 +0000 http://jochem.vandieten.net/2008/07/03/reserved-names-for-cookies/#comment-16 Jochem, I think you solved this mystery handily. I read the "no cookies..." blog and I was almost buying it - but the client vs server thing was bothering me too. I think you nailed it. -Mark Jochem,

I think you solved this mystery handily. I read the “no cookies…” blog and I was almost buying it - but the client vs server thing was bothering me too. I think you nailed it.

-Mark

]]>