Received: (qmail 21454 invoked by uid 2012); 15 May 1998 14:07:43 -0000 Message-Id: <19980515140743.21453.qmail@hyperreal.org> Date: 15 May 1998 14:07:43 -0000 From: Tim Carroll Reply-To: timc@im.picker.com To: apbugs@hyperreal.org Subject: Incorrect writing of the date string in cookies to MSIE X-Send-Pr-Version: 3.2 >Number: 2233 >Category: mod_usertrack >Synopsis: Incorrect writing of the date string in cookies to MSIE >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Fri May 15 07:10:01 PDT 1998 >Closed-Date: Wed May 03 13:34:50 PDT 2000 >Last-Modified: Wed May 03 13:34:50 PDT 2000 >Originator: timc@im.picker.com >Release: 1.3b6 >Organization: >Environment: Solaris, gcc, etc. Probably not important. >Description: I wasn't able to get the mod_usertrack module (Apache 1.3b6) to write a dated cookie to MSIE browsers and I discovered after looking through Microsoft docs that the date string sent to set a cookie must be of the form: expires=day, dd mm yr 00:00:00 GMT --while mod_usertrack sets the date with the string: expires=day, dd-mm-yr 00:00:00 GMT >How-To-Repeat: Attempt to set a cookie with an expiry date to MSIE. Cookie isn't accepted. Send a cookie without an expiry date and the cookie is accepted. (Changing the CookieExpires directive from format "2years" to 63072000 will not reformat the date string sent to the cookie, BTW) >Fix: The fix seems to be to change line 192 of mod_user_track.c from: "%s%s; path=/; expires=%s, %.2d-%s-%.2d %.2d:%.2d:%.2d GMT", to: "%s%s; path=/; expires=%s, %.2d %s %.2d %.2d:%.2d:%.2d GMT", Recompilation of module code without hyphens has resulted in successfully setting dated cookies to MSIE 3.x and 4.x on Win95 in addition to Netscape browsers. >Release-Note: >Audit-Trail: State-Changed-From-To: open-analyzed State-Changed-By: brian State-Changed-When: Tue May 19 19:43:40 PDT 1998 State-Changed-Why: I don't know about that - Microsoft's own servers issue their expires format the way netscape defined it. Do a HEAD request on www.expedia.com and you'll see the dd-mm-yy format. In 10 minutes of searching I couldn't find any documentation on the www.microsoft.com web site about their expected formats. Severity-Changed-From-To: critical-non-critical Severity-Changed-By: brian Severity-Changed-When: Tue May 19 19:43:40 PDT 1998 From: Tim Carroll To: brian@hyperreal.org Cc: apbugs@Apache.Org Subject: mod_usertrack/2233: Incorrect writing of the date string in cookies to MSIE Date: Thu, 28 May 98 15:48:19 EDT My apologies for not including the URL of the relevant Microsoft document: http://premium.microsoft.com/msdn/library/partbook/instantj/html/javascriptcooki es.htm This is (was) the only reference to by-hand date formatting of cookies on the entire site and now it seems not to exist anymore although, as you probably saw, it is still listed as available by the site search. I printed a copy of the doc before it disappeared and I will fax it to you if you are interested in looking it over. Please let me know. In short, the document states: "The date for 'expires' requires the exact format that the toGMTString() method of the date object produces: //example date: 'Mon, 13 Oct 1997 12:40:34 GMT' " Of course we are dealing with Microsoft's JavaScript here and not something explicitly server/cgi-generated however my results from resetting the line of code in mod_usertrack.c *did* result in my setting a persistent cookie, one written to the Cookie file, where I hadn't been able to do before with the standard build. I checked www.expedia.com and didn't find any "expires="-style Set-Cookie header at all. I did, however, find a Microsoft server, www.nomade.fr, which set a cookie to all of my browsers using the Netscape (with hyphens) method. So, I'm now not so sure of the validity of my orginal bug post. Still, the sans-hyphen method is the only one which works for my MSIE 4.x Win32 from Apache and I will use my own build for a forthcoming version of our server. State-Changed-From-To: analyzed-feedback State-Changed-By: coar State-Changed-When: Thu Apr 29 09:53:15 PDT 1999 State-Changed-Why: [This is a standard response.] This Apache problem report has not been updated recently. Please reply to this message if you have any additional information about this issue, or if you have answers to any questions that have been posed to you. If there are no outstanding questions, please consider this a request to try to reproduce the problem with the latest software release, if one has been made since last contact. If we don't hear from you, this report will be closed. If you have information to add, BE SURE to reply to this message and include the apbugs@Apache.Org address so it will be attached to the problem report! State-Changed-From-To: feedback-closed State-Changed-By: coar State-Changed-When: Wed May 3 13:34:50 PDT 2000 State-Changed-Why: RFC2109 does not appear to support "expires" as a valid attribute for Cookie and Set-Cookie header fields in any event. >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]