From: Gaius <james.a.rosen@gmail.com>
To: Rack Development <rack-devel@googlegroups.com>
Subject: Re: Bug: Rack inserts "Set cookie" on 304 Not Modified request
Date: Tue, 15 Jun 2010 05:10:58 -0700 (PDT) [thread overview]
Message-ID: <ae113115-2151-4a38-a58e-6d3142d3e1b8@j4g2000yqh.googlegroups.com> (raw)
In-Reply-To: <acbc5d4a-902a-4d17-b90a-5c9c6758014a@q12g2000yqj.googlegroups.com>
+100,000,000,000 to Jan for such a thorough and well-written bug
report!
But I'm not sure about a +1 for the actual change. If you look at the
HTTP spec (http://www.w3.org/Protocols/rfc2616/rfc2616-
sec10.html#sec10.3.5), 304 responses can't have entity headers, but as
Ryan Eberhard points out (https://issues.apache.org/bugzilla/
show_bug.cgi?id=18388), "Set-Cookie" can reasonably be described as a
response header rather than an entity header.
On Jun 15, 6:01 am, "Jan M." <jmfa...@gmail.com> wrote:
> The rack session logic always adds a "Set cookie" header to each
> response, even when the cookie has not changed. This is a little bit
> wasteful but if the response happens to be a "304 - Not Modified" then
> this is actually problematic in one particular edge case: Internet
> Explorer 7 will destroy the cookie if there is a combination of a "Set
> cookie" header on a 304 response inside an Iframe. This happens even
> if the cookie previously existed, thus destroying the session and
> typically logging the user out.
>
> This bug is hard to identify since it requires a combination of IE7,
> an Iframe and a 304 request, but a search on the Rails forums on
> "iframe logout" turns up quite a few people who ran into it. The
> reason that IE7 does this is that it requires a so called P3P header
> for it to accept cookies inside an Iframe and Apache will correctly
> filter P3P headers from the response since those are not allowed on
> 304 responses according to W3C specs. Whether the Set-Cookie header is
> allowed on a 304 is debatable, but Apache doesn't filter those leading
> IE7 to believe there is a problem.
>
> So it's a combination of 3 bugs: Rack should not add a cookie on a
> 304, Apache should filter all headers or none, but not half, and IE7
> should not destroy a cookie that already existed (fixed in IE8 by the
> way).
>
> A solution is to add a middleware layer in rails that simply does:
>
> def call(env)
> response = @app.call(env)
> response[1].delete('Set-Cookie') if response[0] == 304
> response
> end
>
> One option is to add similar logic to Rack, but in my opinion it would
> be more elegant if Rack would simply not add a cookie when the cookie
> has not changed.
> Credit to Robert Vogel for figuring most of this out.
next prev parent reply other threads:[~2010-06-15 12:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-15 10:01 Bug: Rack inserts "Set cookie" on 304 Not Modified request Jan M.
2010-06-15 12:10 ` Gaius [this message]
2010-06-15 23:37 ` Jan M.
2010-06-15 23:43 ` Jan M.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://groups.google.com/group/rack-devel
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ae113115-2151-4a38-a58e-6d3142d3e1b8@j4g2000yqh.googlegroups.com \
--to=rack-devel@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).