cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] Use magic expiration value for session cookies

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 3 Sep 2009 10:26:14 +0200 (CEST)

On Wed, 2 Sep 2009, Claes Jakobsson wrote:

> curl currently treats cookies whose internal expiration = 0 as session
> cookies. However this cases a problem when a server sets a cookie with the
> expiration date of 1970-01-01 00:00:00 which is epoch 0.
>
> The supplied patch changes session cookies to have expiration value
> -0x00C0FFEE so that epoch 0 works as expected. Attached is also a new
> testcase for it.

I appreciate your effort and what you're trying to do. But I think this
approach is a bit too strange. I suggest a different approach. (I just
committed a better date parser API for internal use too. It will now allow our
code to properly separate parsing errors from time overflow or failed to parse
etc.)

I suggest we instead store 1970-01-01 00:00:00 as expires at 1, as a special
case. The date is far away in the past anyway (hey even before *I* was born)
and it won't matter if 'expires' 1970-01-01 00:00:00 and 1970-01-01 00:00:01
will both use 1. This allows us to keep 0 reserved for "session cookies" and
allows us to save the cookies fine in the netscape file format exactly like
today.

> Another thing I've noticed is that the dumper that writes cookies to a file
> includes session cookies. Is this really wanted?

Oh yes it is actually very important. A length of a session is not defined by
anyone else than the user agent. A session can last for a long time. Apps such
as the curl command line tool can also be used to do many invokes (starts and
stops) during the same session and then it needs to have the cookies saved
between each invoke.

That's the primary reason why we have the CURLOPT_COOKIESESSION option. It
allows an app to say that a new session has started, so that all old session
cookies can be discarded on load and be forgotten.

-- 
  / daniel.haxx.se
Received on 2009-09-03