[ic] CookieName directive fails

Mike Heins mike at perusion.com
Thu Aug 11 21:13:50 EDT 2005


Quoting Kevin Walsh (kevin at cursor.biz):
> Davor Ocelic [docelic at mail.inet.hr] wrote:
> > Interchange cookie is in the form:
> > 
> >   SessionID (8 to 32 characters), followed by a colon (:),
> >     followed by an IP address, username or domainname.
> > 
> > When no CookieName is set, the code takes the default path
> > and extracts session ID by using this hard-coded regex:
> > 
> > MV_SESSION_ID=(\w{8,32})[:_]
> > 
> > As you see, from the complete MV_SESSION_ID string, it only
> > takes first 8 to 32 characters, before the colon or underscore.
> > 
> > However, when CookieName *is* set, it tries to match this:
> > 
> > $::Instance->{CookieName}=($Vend::Cfg->{CookiePattern})
> > 
> > The problem is that CookiePattern is currently set to
> > '[-\w:.]+', which is too liberal, and matches the whole cookie
> > value instead of just the session part (8-32 chars) up to the first comma.
> > 
> > I suppose the solution is to change the default CookiePattern
> > value from [-\w:.]+ to \w{8,32}
> > 
> > 
> > Otherwise, I've tested and CookieName works properly "out of the box".
> > 
> To be honest, I can't see the point of the CookiePatern at all and,
> given its problems, I'm wondering if anyone is actually making any
> use of it at all in its current form.

Yes, there is at least one catalog using it. And that catalog happens
to have the pattern that fits what CookiePattern defaults to.

If we were to use your patch, a cookie could never have a non-word
character value. This is not acceptable, alas. I know quite a few
session id types that have at least '-' in them, and I know of one
that has a ':' in it.

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <mike at perusion.com>

Being against torture ought to be sort of a bipartisan thing.
-- Karl Lehenbauer


More information about the interchange-users mailing list