I'm interested in the behavior of various browsers when there are multiple cookies with the same name and path which are valid for the current domain. E.g. the browser has stored these two cookies:
key=value; path=/; domain=foo.bar.baz
key=value; path=/; domain=bar.baz
What will be the content of the Cookie header when the user visits foo.bar.baz?
RFC 2965 has this to say about the issue:
If multiple cookies satisfy the criteria above, they are ordered in
the Cookie header such that those with more specific Path attributes
precede those with less specific. Ordering with respect to other
attributes (e.g., Domain) is unspecified.
(which is IMO a very weird design choice, but that is what we have). I suppose server-side frameworks use the first value, beacause that is at least sometimes more specific (I checked PHP and it indeed does so).
What I would like to know is the behavior of the major browsers: which cookie would they send first? (In other words, how much can I rely on my application getting the "correct", more specific value?)
As per comments above:
The easiest defense against this obviously "undefined behaviour (standard-wise)" from my POV is to not use PHPSESSID on the main domain bar.baz but instead on www.bar.baz - the subdomains will work fine since according to the standard there is no "fallback" in that case so the cookie stays on its own subdomain.
One possible problem needs to be checked:
PHP scripts running on a subdomain can be configured explicitly to set their cookie on the main domain... IF that is the case (code looks similar to ini_set('session.cookie_domain', 'bar.baz');) then you need to change this config to "standard" (by removing the code shown) which means that a script on a subdomain should only set cookies on its own subdomain.
EDIT - as per comments:
IF you don't have any control over some other subdomain then the "ultimate defense" is to rename your PHPSESSID cookie to something really unique (like a GUID with PHPSESSID as prefix) either by calling session_name() BEFORE session_start() OR by setting it in the config - this way you circumvent the whole problem regardless of subdomains/browser versions etc.
Related
I need some help working with Caddy2 Server and the Caddyfile.
Some background info:
Let's say I would like to reverse proxy on 2 sites named page1.com and page2.com
So for example currently page1.com is visible in localhost:8080/page1 and page2.com is visible in localhost:8080/page2
Now assume that /page1 gives me a specific cookie named "myCookie" which has some random value in it.
I would like to pass this cookie also to /page2, so I'd have the cookie "myCookie" on both pages.
I know that I can use header_down +Set-Cookie "..." on /page2, but since the value is random, I would need to somehow safe the cookie value from /page1 in order to reuse it or pass it to /page2
And that's where my knowledge reaches its limits, because in every research I did I couldn't find a way to store that value since Caddy2 doesn't seem to support variables.
Does anyone have a clue & is able to help me out with this one?
Thanks in advance!
Best Regards
Furkan
Meanwhile I've found a solution on how to accomplish this and decided to post it up here for someone who also may research for this in the future.
The idea behind that is to change the path of "myCookie" from /page1 to /, so the page2 is also able to access that cookie. I've also renamed that cookie in between just to make it clear that it now isn't only the cookie of /page1
header_down Set-Cookie "/page1" "/" # this will change the path of the cookie to /
header_down Set-Cookie "myCookie" "ourCookie"
header_up Set-Cookie "ourCookie" "myCookie"
If I define url like "^optional/slash/?&" - and so web-page to which it bound will available by both url versions - with slash and without - will I violate any conventions or standards by doing that?
Wouldn't a redirection be more appropriate?
If I remember correctly, trailing slashes should be used with resources that list other resources. Like a directory that lists files, a list of articles or a category query (e.g http://www.example.com/category/cakes/). Without trailing slashes the URI should point to a single resource. Like a file, an article or a complex query with parameters (e.g http://www.example.com/search?ingredients=strawberry&taste=good)
Just use the HTTP code 302 FOUND to redirect typos to their correct URIs.
EDIT: Thanks to AndreD for pointing it out, a HTTP code 301 MOVED PERMANENTLY is more appropriate for permanently aliasing typos. Search engines and other clients should stop querying for the misspelled URL after getting a 301 code once, and Google recommends using it for changing the URL of a page in their index.
According to RFC 3986: Uniform Resource Identifier (URI): Generic Syntax:
Section 6.2.4. Protocol-Based Normalization -
"Substantial effort to reduce the incidence of false negatives is
often cost-effective for web spiders. Therefore, they implement even
more aggressive techniques in URI comparison. For example, if they
observe that a URI such as
http://example.com/data
redirects to a URI differing only in the trailing slash
http://example.com/data/
they will likely regard the two as equivalent in the future. This
kind of technique is only appropriate when equivalence is clearly
indicated by both the result of accessing the resources and the
common conventions of their scheme's dereference algorithm (in this
case, use of redirection by HTTP origin servers to avoid problems
with relative references)."
My interpretation of this statement would be that making the two URIs functionally equivalent (e.g. by means of an .htaccess statement, redirect, or similar) does not violate any standard conventions. According to the RFC, web spiders are prepared to treat them functionally equivalent if they point to the same resource.
No, you are not violating any standards by doing that you can Use this Optional trailing slash in URL of websites
but you need to stay on the safe side, because there are different ways servers handle the issue:
Sometimes, it doesn't matter for SEO: many web servers will just re-direct using 301 status code to the default version;
Some web servers may return a 404 page for the non-trailing-slash address = wasted link juice and efforts;
Some web servers may return 302 redirect to the correct version = wasted link juice and efforts;
Some web servers may return 200 response for both the versions = wasted link juice and efforts as well as potential duplicate content problems.
I use both Google Analytics and Google Website Optimizer on www.britely.com, and want to limit their cookies to that domain only. (To avoid cookie overhead in requests for static assets loaded from other subdomains of britely.com that should get some CDN love.)
An example page that uses both (and that currently sets the __utma, __utmb, __utmc and __utmz cookies on .britely.com, instead of on the wanted www.britely.com), is http://www.britely.com/ninjamom/s-t-dogs-think
As far as Google's docs go, it seems that a _gaq.push(['_setDomainName', 'none']); call (or ditto 'www.britely.com' instead of 'none') at the top of the page should be enough to achieve this goal.
Somehow, it isn't. I think we used to have even more cookies set on .britely.com before I read through the source of GWO's siteopt.js, which doesn't seem to know _setDomainName. It's responsive to a page-global constant _udn declaring the cookie domain it should use though - so leading in the page with this, at least GWO's __utmx and __utmxx cookies are handled correctly:
<script>
var _gaq = _gaq || [], _udn = 'www.britely.com';
_gaq.push(['_setDomainName', 'none']);
</script>
I know the common way of fixing the cookie overhead issue is to serve static content from some domain entirely different from the one using GA and GWO. That is not the solution I seek.
Besides the above tweaks, the Google Website Optimizer control script also needs its own _gaq.push(['gwo._setDomainName', 'none']); call - similar to the GA one, which only seems to be system global, but isn't.
With the above setup, all cookies get scoped to www.britely.com except for the __utmx and __utmxx ones, which end up scoped to .www.britely.com for some reason. Good enough for me.
in a website where cookies are used for top-level pages (such as example.com/test.php, example.com/whatever.php), is it possible to ban cookies from certain directories such as "/images/", or am I just going to have to use a second domain (static.example.com/images/photo.jpg) ?
does anyone know of a workaround? it's for a CMS where I may not always be able to create a second domain.
Change your top-level pages to be one level down: example.com/test.php -> example.com/app/test.php
You can then set your cookies on example.com/app and they will not be sent to example.com/images
(Also your workaround won't quite work either, as static.example.com/images/photo.jpg will still get cookies set for example.com. It needs to be a different parent, e.g. example2.com/images).
No, sorry. Cookies are domain based, not directory based.
I am working on a DotNetNuke application using the iFinity URL Master module. (that may be irrelevant, as a solution may be platform independent)
What I have is a site with addresses based on language.
so
www.thesite.com/en/products/towels/redtowel
is the english version and
www.thesite.com/de/products/towels/redtowel
is the german version.
What I need to do is allow a user (who has already visited the site and set a cookie with their language) to be able to go to www.thesite.com/products/towels/redtowel and get to www.thesite.com/en/products/towels/redtowel if their cookie is set to english, and /de/products/towels/redtowel if it is set to german.
How would I do this?
if it was me and i didnt want to spend a lot of time programming I would look at something like this
http://www.snowcovered.com/snowcovered2/Default.aspx?tabid=242&PackageID=10059
then it could do a redirect based on the cookie - otherwise with iFinity I think you can do that sort of but not exactly. (I may be wrong on that - not a fan of iFinity url rewriter)