Closed Bug 177930 Opened 22 years ago Closed 22 years ago

Check for "max-age" before checking for "expires"

Categories

(Core :: Networking: Cookies, defect, P4)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
mozilla1.3beta

People

(Reporter: harishd, Assigned: danm.moz)

Details

Since "max-age" attribute overrides "expires" we should first check for "max-age" attribute before checking for "expires". Thus if "max-age" was present then there is no need to check for "expires" - minor optimization
Status: NEW → ASSIGNED
Priority: -- → P4
Target Milestone: --- → mozilla1.3beta
Not minor. javax.servlet.Cookie has a setMaxAge instance method. A call to loginCookie.setMaxAge(0), does not ultimately result in the cookie being deleted. Calling loginCookie.setValue("") does not set the cookie's value to an empty string. At first I though that I was doing something wrong. After testing in IE 5.2, I don't think that this is so. IE 5.2 does what I expected. Here is a test page: <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/1998/REC-html40-19980424/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" /> <title>Untitled</title> </head> <body> <pre> <%@page import="com.dhtmlkitchen.util.CookieUtils"%> <% Cookie c = CookieUtils.getCookie(request.getCookies(), "login"); if(c != null) { out.println("deleting cookie: " + c.getName()); c.setMaxAge(0); // send the new cookie to client. response.addCookie(c); out.println("deleted cookie: " + c.getName()); } //else //out.println("foobar cookie doens't exist"); %> </pre> <script type="text/javascript"> window.document.write(window.document.cookie); </script> </body> </html> And the cookie gets printed out. Oddly, the cookie is deleted when the page is directly invoked. Indirect invocation of this page through a request filter or controller does not delete the cookie. If I could see the HTTP headers being sent, I'd be able to make more sense of this, but I don't. To see a real live demo, try this: 1. go to http://dhtmlkitchen.com/ 2. register for an account 3. confirm regsitration and login CHECK "Auto Login" (important) 4. logout with the logout link under your account menu. 5. Mozilla: you will be automatically logged in by the request filter which reads the cookie on subsequent requests. Explorer: the cookie is deleted for good. IE 5.2 correctly deletes the cookie and doesn't send it back to the server, Mozilla 1.2 does not. javascript:alert(document.cookie); I hope I posted this in the right place.
I don't think the symptoms described in comment 1 have anything to do with the report. The only effect of checking for max-age before expires should be one of optimization. If so, comment 1 should be in a separate bug report. One way to know for sure is to see a cookie log. Garrett, could you please generate such a log and post it to this bug report. See the comments in nsCookies.cpp for instructions on generating a cookie log.
-> danm
Assignee: morse → danm
Status: ASSIGNED → NEW
This bug will be fixed if the patch for bug 177698 gets checked in; as part of the cookie rewrite-in-progress.
dwitte: Does that mean this is fixed now?
uhh, sorry - wasn't on the cc list, didn't see that last comment. yup, fixed.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.