[Freeipa-devel] [PATCH 82] Compliant client side session cookie behavior

John Dennis jdennis at redhat.com
Sat Dec 8 16:16:23 UTC 2012 

On 12/07/2012 06:19 PM, Simo Sorce wrote:
> On Fri, 2012-12-07 at 16:21 -0500, John Dennis wrote:

>> I'll send a revised patch with the above mentioned fixes once someone
>> else puts their eyeballs on the RFC, or maybe we should just remove the
>> check for the time being.
>
> I think that the algorithm fails to follow the RFC when you do:
>            elif url_path.endswith('/'):
>                request_path = url_path[:-1]
>
> Point 4 of the RFC doesn't say the path needs to end with a / it says
> you need to take everything before the last / wherever it is.
>
> Ie if the patch is /ipa/ui/foo then the path for the cookie is /ipa/ui
> Conversely if the path is /ipa/ui/foo/ the path is /ipa/ui/foo
>
> Basically these rules threat the last 'leaf' component as not part of
> the path and are meant to remove it.

Thank you, yes you're correct. The fundamental misconception is one I've 
stumbled on in the past as well as many others "what is the significance 
of a trailing slash in a URL path component". The trailing slash is 
quite significant but many of us get lulled into believing it's not 
because of the common HTTP server behavior of performing a redirect on a 
path without a trailing slash to a directory of the same name. The URL's 
"http://example.com/foo" and "http://example.com/foo/" are *not* the 
same URL. The path in a URL is considered a directory if and only if it 
ends with a trailing slash.

RFC 6265 in Section 4.1.2.4. "The Path Attribute" clearly states the 
matching is performed on *directory* components. Without a trailing 
slash the leaf component is not a directory and hence must be stripped.

Rob, the above is the answer to your question (and mine). "/ipa" and 
"/ipa/" are *not* the same and "/ipa" will not match "/ipa" as a cookie 
path component because "/ipa" is not a directory, the directory is "/". 
FWIW the cookies path attribute is defined to be a directory path and 
does not require the trailing slash (or so I believe).

I'll send an updated patch shortly with the above fix. I also noticed 
that http_return_ok() omitted the validation for the HttpOnly and Secure 
flags I'll add that too.




-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list