Closed
Bug 177930
Opened 22 years ago
Closed 21 years ago
Check for "max-age" before checking for "expires"
Categories
(Core :: Networking: Cookies, defect, P4)
Tracking
()
RESOLVED
WORKSFORME
mozilla1.3beta
People
(Reporter: harishd, Assigned: danm.moz)
Details
Since "max-age" attribute overrides "expires" we should first check for "max-age" attribute before checking for "expires". Thus if "max-age" was present then there is no need to check for "expires" - minor optimization
|
||
Updated•22 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P4
Target Milestone: --- → mozilla1.3beta
|
||
Comment 1•22 years ago
|
||
Not minor.
javax.servlet.Cookie has a setMaxAge instance method. A call to
loginCookie.setMaxAge(0), does not ultimately result in the cookie being
deleted. Calling loginCookie.setValue("") does not set the cookie's value to an
empty string.
At first I though that I was doing something wrong. After testing in IE 5.2, I
don't think that this is so. IE 5.2 does what I expected.
Here is a test page:
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/1998/REC-html40-19980424/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title>Untitled</title>
</head>
<body>
<pre>
<%@page import="com.dhtmlkitchen.util.CookieUtils"%>
<%
Cookie c = CookieUtils.getCookie(request.getCookies(), "login");
if(c != null) {
out.println("deleting cookie: " + c.getName());
c.setMaxAge(0);
// send the new cookie to client.
response.addCookie(c);
out.println("deleted cookie: " + c.getName());
}
//else
//out.println("foobar cookie doens't exist");
%>
</pre>
<script type="text/javascript">
window.document.write(window.document.cookie);
</script>
</body>
</html>
And the cookie gets printed out. Oddly, the cookie is deleted when the page is
directly invoked. Indirect invocation of this page through a request filter or
controller does not delete the cookie. If I could see the HTTP headers being
sent, I'd be able to make more sense of this, but I don't.
To see a real live demo, try this:
1. go to http://dhtmlkitchen.com/
2. register for an account
3. confirm regsitration and login CHECK "Auto Login" (important)
4. logout with the logout link under your account menu.
5. Mozilla: you will be automatically logged in by the request filter which
reads the cookie on subsequent requests.
Explorer: the cookie is deleted for good.
IE 5.2 correctly deletes the cookie and doesn't send it back to the server,
Mozilla 1.2 does not.
javascript:alert(document.cookie);
I hope I posted this in the right place.|
|
||
Comment 2•22 years ago
|
||
I don't think the symptoms described in comment 1 have anything to do with the report. The only effect of checking for max-age before expires should be one of optimization. If so, comment 1 should be in a separate bug report. One way to know for sure is to see a cookie log. Garrett, could you please generate such a log and post it to this bug report. See the comments in nsCookies.cpp for instructions on generating a cookie log.
|
||
Comment 4•22 years ago
|
||
This bug will be fixed if the patch for bug 177698 gets checked in; as part of the cookie rewrite-in-progress.
|
||
Comment 5•21 years ago
|
||
dwitte: Does that mean this is fixed now?
|
|
||
Comment 6•21 years ago
|
||
uhh, sorry - wasn't on the cc list, didn't see that last comment. yup, fixed.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•