PHRETS icon indicating copy to clipboard operation
PHRETS copied to clipboard

Published 20 hours ago verified publisher icon troydavisson

Set-Cookies compliant Methods

Open myrsolphrets opened this issue 10 years ago • 2 comments

Does 1.0 support this? We can't use 2.0 because our servers have to run php 5.3 and can't run 5.4 without a complete rewrite our our product. Below is the info I am questioning.

now enforcing Set-Cookies compliant methods.

The Set-Cookies were appended rather than two distinct cookies in the response header. The RFC 2109 states that this Set-Cookies method is valid.

Please refer to RFC2101 Section 4.2.2: http://www.ietf.org/rfc/rfc2109.txt

This states:

Informally, the Set-Cookie response header comprises the token Set- Cookie, followed by a comma-separated list of one or more Session-IDs.

The server is sending two cookies (Session IDs), not two cookie headers. Two cookies are sent using the current HTTP standard which requires them to be on the same line. Sending multiple headers while supported by most browsers as it was ambiguous in the first standard, it is now not the RFC-compliant method and was clarified in the refreshed HTTP cookie standard two years ago (RFC6265 Sec 4.1.1 - Pg. 9) The HTTP design is that each header should only exist once in any single request, multiple instances of a header should be an array or list of elements on the header.

Proper Response and Request:

Example:

-- RESPONSE: -- 200 OK Set-Cookie: RETS-Session-ID=97513634597; Path=/,MRIS1_RETS-Session-ID=hknhnmmiakoohcobpcebajdiapmlblngpgljpjhmkmjcpkkanahkccpccgcmplpfkaalflinaiog; Path=/ Server: nginx

-- REQUEST: -- Cookie: RETS-Session-ID=97513634597; MRIS1_RETS-Session-ID=hknhnmmiakoohcobpcebajdiapmlblngpgljpjhmkmjcpkkanahkccpccgcmplpfkaalflinaiog

myrsolphrets avatar May 05 '15 16:05 myrsolphrets

It should, yes. Are you having trouble with it? I've personally connected to MRIS's servers using a number of different feeds and accounts and haven't had issues (at least related to authentication or sessions).

troydavisson avatar May 05 '15 18:05 troydavisson

Hey Troy, I have been having issues pulling data from that board though I was not sure if it was their new system cooke/session requirements or something else. If you like, I can send you an error report from phrets as I am now running the most recent version for 1.0. By the way thank you for the help.

Debug code:

            <TITLE>Unauthorized Request Blocked</TITLE>

            <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
            <META HTTP-EQUIV="Expires" CONTENT="-1">
    </HEAD>

    <BODY>
            <H1>Unauthorized Activity Detected</H1>
            <BR>
            You are seeing this page because we have detected unauthorized activity. If you believe that there has been some mistake,
            please email our RETS Support team at:
            <a href="mailto:[email protected]?subject=Security Page - Transaction ID 2192289581&body=Case Description:">[email protected]</a>
            with the following Transaction ID in its subject: 2192289581.
            <P>
            Transaction ID: 2192289581
            <P>
            Your IP Address: 174.107.-------
            </P><P>
            Your Port Number: 28674
    </P><P>
            Event Name: HTTP RFC Violation
    </P><P>
            Event Category: HTTP RFC Violations
            </P>
    </BODY>

Mark

myrsolphrets avatar May 05 '15 18:05 myrsolphrets