lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e74e68850903192303v1e2f5ccfmfc52a7b04179f83b@mail.gmail.com>
Date: Fri, 20 Mar 2009 11:33:08 +0530
From: Phani <pklanka@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Multiple Cookies combined to a single Set-Cookie
	response

Hello everyone,
I am facing a trouble setting multiple cookies combined in a single
Set-Cookie request. Though following RFC 2109 (
http://www.faqs.org/rfcs/rfc2109) <http://www.faqs.org/rfcs/rfc2109>, and
MSDN http://msdn.microsoft.com/en-us/library/aa384321(VS.85).aspx both IE
and firefox are non-responsive to the multiple cookies set in the single
Set-Cookie request.

I have tried the following on Apache / IIS Servers. (The type of webserver
may not be relevant since the Set-Cookie header is one and the same in the
HTTP responses. It is the browser which is not accepting the multiple
cookies set)


Trial #1
----Server response----------
Set-Cookie: a1=b1; a2=b2; a3=b3

----Client cookies-------------
Cookie: a1=b1

Trial #2
----Server response----------
Set-Cookie: a1=b1;a2=b2;a3=b3

----Client cookies-------------
Cookie: a1=b1

Trial #3 (I thought this would work, since it matches with what is written
in RFC..
but instead of creating new cookies, browser is setting the value of a1 to
be "b1, a2=b2, a3=b3")
----Server response----------
Set-Cookie: a1=b1, a2=b2, a3=b3
Xpad: avoid browser bug

----Client cookies-------------
Cookie: a1=b1, a2=b2, a3=b3

Could anyone put in any thoughts on this...


regards
Phani Kumar Lanka

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ