Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Multiple Cookies combined to a single Set-Cookie response
From: Phani <pklanka () gmail com>
Date: Fri, 20 Mar 2009 11:33:08 +0530

Hello everyone,
I am facing a trouble setting multiple cookies combined in a single
Set-Cookie request. Though following RFC 2109 (
http://www.faqs.org/rfcs/rfc2109) <http://www.faqs.org/rfcs/rfc2109>, and
MSDN http://msdn.microsoft.com/en-us/library/aa384321(VS.85).aspx both IE
and firefox are non-responsive to the multiple cookies set in the single
Set-Cookie request.

I have tried the following on Apache / IIS Servers. (The type of webserver
may not be relevant since the Set-Cookie header is one and the same in the
HTTP responses. It is the browser which is not accepting the multiple
cookies set)

Trial #1
----Server response----------
Set-Cookie: a1=b1; a2=b2; a3=b3

----Client cookies-------------
Cookie: a1=b1

Trial #2
----Server response----------
Set-Cookie: a1=b1;a2=b2;a3=b3

----Client cookies-------------
Cookie: a1=b1

Trial #3 (I thought this would work, since it matches with what is written
in RFC..
but instead of creating new cookies, browser is setting the value of a1 to
be "b1, a2=b2, a3=b3")
----Server response----------
Set-Cookie: a1=b1, a2=b2, a3=b3
Xpad: avoid browser bug

----Client cookies-------------
Cookie: a1=b1, a2=b2, a3=b3

Could anyone put in any thoughts on this...

Phani Kumar Lanka
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]