On Wed, 2002-08-21 at 12:41, Quentin Smith wrote:
Hi- I'm not sure if this is a bug or not. You should read up on the cookie spec at http://www.netscape.com/newsref/std/cookie_spec.html. I believe that a more-specific path will mask a more general path. However, I do not know if it is possible to send two Set-cookie headers with the same name in the same response.
Interesting. According to that document, cookies sent back don't include the path - they include the name and the value, and are ordered most-specific to least-specific path, but they don't actually say per-cookie what path the cookie has. By my reckoning, that'd make it very difficult for Zope to work out which cookie should have which value, if they have the same name but different paths. Looks like it should be doable, in theory, but is a bad idea(tm). More specifically, setting two cookies with different paths should be fine according to the spec, but coming back you can't see the path so they're just going to override each other, and most specific will win - you don't get to see both cookies, just the most specific one, even though both have been sent. Zope doesn't differentiate on setCookie, so you can't set two cookies with the same name but different paths in the same request. I think Zope's handling of cookies is possibly a little bit incorrect, in that most specific overrides the value of least-specific rather than both being presented for the app, but as the path isn't presented with the cookie, I can't see a nice way around it. Given that, not allowing the setting of multiple same-named cookies at once is probably not such a bad thing. I've moved all my cookies up to path='/', and will code in better handling for incorrect cookies. What's the proper place to document this cookie behaviour/where should I have looked to find info about this/where can I write something up as a reference for others? KJL