[Techtalk] At Wits' End on Persistent HTTP Cookies

Kai MacTane kmactane at GothPunk.com
Tue Apr 30 13:02:54 EST 2002 

Hi. I'm trying to make a mod_perl/Mason project set a persistent cookie, 
using the old Netscape cookie spec at 
http://www.netscape.com/newsref/std/cookie_spec.html . I can make it set a 
session cookie, no problem, but getting to keep the cookie around for a 
mere 5 days has driven me to the point of insanity.

Netscape's spec is a little inconsistent about just what the date format 
should be for the cookie's "expires" field -- when you compare their 
specified format with their examples, you're left wondering things like, 
"Should the weekday be three characters, or the full name? Should it be 
followed by a comma or not?" and "Should the year be 2 digits or 4?"

So I checked in my cookies file for some persistent cookies set by other 
sites, telnetted to them on port 80, and read the actual headers being 
output by their servers. For example, if you request the Pentium Quick 
Reference Guide, from develop.intel.com//design/pentium/qit/, you get this:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 30 Apr 2002 18:36:35 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR STP ONL UNI COM NAV 
INT D
EM STA PRE"
Set-Cookie: AnonymousGuest=D209E7A4CE1F42a796B862980CDFC801734; expires=Fri 
28-May-2010 23:59:00 GMT; path=/;
Content-Type: text/html

I currently have my own cookie's "expires" field hard-coded to return May 
12th, just to avoid any "leading zero" issues. My output looks like the 
following:

HTTP/1.1 200 OK
Date: Tue, 30 Apr 2002 19:24:18 GMT
Server: Apache/1.3.23 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6c mod_perl/1.26
Set-cookie: SearchOptions=Fields::PoS::Cats::AttestLevel:; expires=Sun 
12-May-2002 10:11:12 GMT; path=/quenya;
Transfer-Encoding: chunked
Content-Type: text/html

(My SearchOptions settings can get much more involved -- that was the 
result of a null query, with no options set -- but never uses any spaces or 
semicolons. The SearchOptions value always matches the regex [a-zA-Z_:], 
and it is properly set by the browser.)

In both cases, the expires field is of the format: "Wdy DD-Mon-YYYY 
hh:mm:ss GMT"; in both cases, the field order is NAME=VALUE, expires, path; 
in both cases, they're set off by semicolons as they should be.

And yet, my browser (Mozilla 0.98, if that's an issue) plans to hang onto 
Intel's cookie until 2010, and to discard mine at the end of the session.

What gives? I have tried:

* including and omitting the comma after the weekday;
* 2-digit and 4-digit years;
* full weekday name instead of Wdy;
* adding a trailing slash after path (that just makes it consider it
   to be a different cookie, and still a session cookie)
* omitting the path altogether (both with and without a trailing semi-
   colon after 'GMT');
* ripping out my hair;
* screaming at the computer.

No matter what I do, the SearchOptions value gets set just fine, but always 
as a session cookie.

Any help on this would be greatly appreciated. What the hell is the weird 
magic that Intel (and the whole rest of the Internet) has that I don't?

                                                 --Kai MacTane
----------------------------------------------------------------------
"When nothing's sacred any more,
  When the demon's knocking on your door,
  You're still staring down at the floor."
                                                 --The Chameleons UK,
                                                  "Swamp Thing"

More information about the Techtalk mailing list