Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

(Off topic) Can cookies leak?

by rkg (Hermit)
on Dec 08, 2003 at 23:01 UTC ( [id://313296]=perlquestion: print w/replies, xml ) Need Help??

rkg has asked for the wisdom of the Perl Monks concerning the following question:

Hi -- Apologies in advance if this is an off-topic question.

I have mod_perl application that reads and writes cookie(s). When needed, my code reads a certain cookie and takes certain actions, or writes certain cookies after some actions.

While debugging, I started logging $ENV{HTTP_COOKIE}, just to watch every cookie my server could see on the client.

I was somewhat suprised to find, occasionally, cookies that I didn't set -- in particular, some Cold Fusion cookies like CFMAGIC. I know there is no Cold Fusion anywhere in my domain....

do browsers ever "leak" cookies?

Again, not a perl issue (I think), but confusing to me as I debug mod_perl....



Replies are listed 'Best First'.
Re: (Off topic) Can cookies leak?
by jasonk (Parson) on Dec 08, 2003 at 23:08 UTC

    Cookies are supposed to be sent back only to the server that set them, but you are depending on the browser for the determination of where to send them. Some older browsers would let you set a cookie to be sent back to domain '.com.', with the result of sending the cookie back to any .com server it contacted. People rolling their own spider code will frequently copy the Cookie headers from a test request without bothering to find out what they mean, resulting in odd cookies being sent to web servers everywhere. Some anonymizing or sanitizing proxies will replace cookies that are commonly used for tracking browsers with versions that contain random identifiers, so the site will not give them a cookie error, but will also not get any useful information from the cookies they attempt to set. So although it is rare for cookies to actually 'leak', there are all kinds of fringe cases that can result in you getting strange cookies.

    We're not surrounded, we're in a target-rich environment!
Re: (Off topic) Can cookies leak?
by inman (Curate) on Dec 09, 2003 at 10:12 UTC
    The browser will send cookies to any site that matches the criteria information sent by the server when the cookie was sent. This boils down to a match on the domain (not server) name, the cookie path (usually / ) etc. This all works fine if you have only one web server but as soon as you have more than one server setting cookies then you start to experience a number of issues which include:

    1. Your server getting cookies that it did not set. This happens because there are other servers in the same domain that are setting cookies.
    2. Loosing cookies becasue the browser stores a maximum number of cookies per domain (this figure may be about 20 cookies).

    In response to your question, at some point in time, your browser has acquired a cookie from a Cold Fusion server that corresponds to the domain of your web server

    There is a useful FAQ and the Netscape Cookie Spec which you might find to be useful.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://313296]
Approved by Roger
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (3)
As of 2024-07-21 22:03 GMT
Find Nodes?
    Voting Booth?

    No recent polls found

    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.