Free Republic
Browse · Search 		General/Chat
Topics · Post Article

Summary of findings.

Mr. Smith and I baked dozens of cookies yesterday. The MSIE 6.x were all tasty. Unfortunately, the Netscape 4.78 cookies left a bitter taste in our mouths.

Netscape cookies are required to contain at least two dots in the domain field, if a domain is given. The convention is to use, for example, .freerepublic.com (note the leading dot.) This works fine for http://www.freerepublic.com and http://beta.freerepublic.com. The problem url is http://freerepublic.com which contains just one dot. Netscape refuses to set a cookie, any cookie, for the single dot url if the cookie's domain field is set within the cookie. The double dot .freerepublic.com cookie domain field does not work, I assume, because .freerepublic.com is not a substring of freerepublic.com. Since Netscape refuses to set cookies with just a single dot in the cookie domain field, http://freerepublic.com will not work if the cookie domain is specified. However, it WILL work if the cookie domain field is not specific and allowed to default. Unfortunately, such cookies do not match the other variants of URLs (http://www.freerepublic.com nor http://beta.freerepublic.com)

Ergo, our finding, it's screwed.

The possible solutions are many. Smith and I discussed redirecting. Redirecting may have a snag, as the only HTTP request method eligible for redirection is GET (redirecting of POST is probably not well supported, and redirecting of HEAD will not have the desired effect--I don't think. However, it has been a long time since I've read the HTTP specs.) Though in reality, this may be inconsequential.

Another solution is to discontinue web serving on http://freerepublic.com as most web browsers will prepend www. to the URL if the www-less variant fails to connect to a web server. My only concern is of the thousands of www-less URLs that exist and the browsers and web spiders that will not hunt down the www version.

A final solution is to explicitly set a BASE HREF="http://www.freerepublic.com/etc" in all documents generated.

Though, these solutions only affect the one issue of not being able to use the generic .freerepublic.com (double dot) cookie domain. I still have other unresolved HTTP cookie issues, such as not being able to clear cookies, and getting requests with cookies that Free Republic never set (and being unable to unset them.)
25 posted on 07/10/2002 2:23:45 AM PDT by John Robinson
[ Post Reply | Private Reply | To 2 | View Replies ]

To: John Robinson
On a side note, we discovered an MSIE 6 quirk when setting cookies with the security preferences sufficiently elevated, the cookie is set for only the one browser window which handled the request. This was discovered by opening two MSIE 6.x browser windows, A and B, to the same URL, baking a cookie in one window and checking for it in the other.

Smith determined that by lowering the browser's security preferences (to medium?) both windows would take the cookie. The odd behavior was due to our paranoid settings. We didn't investigate further, as the bitter taste of Netscape cookie was about to bite.
26 posted on 07/10/2002 2:30:48 AM PDT by John Robinson
[ Post Reply | Private Reply | To 25 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson