[ic] CookieName directive fails
Mike Heins
mike at perusion.com
Thu Aug 11 23:09:10 EDT 2005
Quoting Kevin Walsh (kevin at cursor.biz):
> Mike Heins [mike at perusion.com] wrote:
> > Quoting Kevin Walsh (kevin at cursor.biz):
> > > To be honest, I can't see the point of the CookiePatern at all and,
> > > given its problems, I'm wondering if anyone is actually making any
> > > use of it at all in its current form.
> > >
> > Yes, there is at least one catalog using it. And that catalog happens
> > to have the pattern that fits what CookiePattern defaults to.
> >
> > If we were to use your patch, a cookie could never have a non-word
> > character value. This is not acceptable, alas. I know quite a few
> > session id types that have at least '-' in them, and I know of one
> > that has a ':' in it.
> >
> Do you mean the session ID itself? I thought that was just randomly
> generated with Vend::Util::random_string(), using the $random_chars
> value ([A-Za-z0-9] minus [O01l]). That would be captured by the
> existing default (\w{8,32}) pattern. The current CookiePattern
> directive allows other patterns to be matched, but that doesn't affect
> the Session ID generation. The only reason to use CookiePattern at
> the moment, as far as I can see, is because it's required when using
> the CookieName directive.
Yes. And because the whole idea of CookieName is that you can
accept a cookie from some other program -- i.e. not generated
by IC.
>
> The default (hard-coded) cookie pattern allows for ':' (separating
> the ID from the IP/user/host) and chars like '-' and '@' in the middle
> of a user/hostname. My patch proposal shouldn't have removed any
> of that, so I would expect existing setups to work without change.
>
> Correct me if I'm wrong. I have been known to be. :-)
>
The patch proposal would say you need \w only, from what I could
see.
> The current (\w{8,32}) could be changed to ([-\w:.]+?), which would
> allow for a more liberal session ID match and still fit in with the
> patch proposal. I can't see that as being necessary at the moment,
> unless people are creating their own session ID naming schemes for
> some reason.
I don't see anything wrong with changing the values. If that is
to be done, though, I suggest it be done in the catalog.cfg file
of the standard demo. Changing the default will break at least one
(though maybe not more) catalog on upgrade.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.647.1295 tollfree 800-949-1889 <mike at perusion.com>
Be patient. God isn't finished with me yet. -- unknown
More information about the interchange-users
mailing list