On Wed, 2002-08-21 at 12:02, Quentin Smith wrote:

Hi- This is, unfortunately, the way it is supposed to work. To expire a cookie, you need to send a Set-Cookie header with an identical name and path and a date in the past. I don't know how Zope handles setting cookies, as I have only ever had to read cookies. I imagine you would need to call something like RESPONSE.cookies.expire("name", "/path"), but it probably is a different function name. --Quentin

The problem is, if I have a cookie called __ac at path /, and a cookie called __ac at path /xone, then I can expire one or the other - but not both on the same web request. Because HTTPResponse.py keys on cookie name only, not name and path. Does this rate as a bug? I can work around it, sorta, but it feels wrong. KevinL

On Wed, 2002-08-21 at 12:41, Quentin Smith wrote:

Hi- I'm not sure if this is a bug or not. You should read up on the cookie spec at http://www.netscape.com/newsref/std/cookie_spec.html. I believe that a more-specific path will mask a more general path. However, I do not know if it is possible to send two Set-cookie headers with the same name in the same response.

Interesting. According to that document, cookies sent back don't include the path - they include the name and the value, and are ordered most-specific to least-specific path, but they don't actually say per-cookie what path the cookie has. By my reckoning, that'd make it very difficult for Zope to work out which cookie should have which value, if they have the same name but different paths. Looks like it should be doable, in theory, but is a bad idea(tm). More specifically, setting two cookies with different paths should be fine according to the spec, but coming back you can't see the path so they're just going to override each other, and most specific will win - you don't get to see both cookies, just the most specific one, even though both have been sent. Zope doesn't differentiate on setCookie, so you can't set two cookies with the same name but different paths in the same request. I think Zope's handling of cookies is possibly a little bit incorrect, in that most specific overrides the value of least-specific rather than both being presented for the app, but as the path isn't presented with the cookie, I can't see a nice way around it. Given that, not allowing the setting of multiple same-named cookies at once is probably not such a bad thing. I've moved all my cookies up to path='/', and will code in better handling for incorrect cookies. What's the proper place to document this cookie behaviour/where should I have looked to find info about this/where can I write something up as a reference for others? KJL

Chris McDonough writes:

... I understand what you're trying to do, and it seems to call for an additional API method on the response object that would allow you to supply a path when setting a cookie. I don't think he need a new API method:

The "setCookie" method already allows to specify a path. However, when he calls "setCookie" twice with the same cookie name and different paths, one of the two "setCookie" becomes ineffective. Dieter