HTTPCookie doesn't support expiry times in the past

[karlr42]

I've been writing a proxy using Poco and have run into an issue handling Set-Cookie headers sent by the remote server intended to remove cookies on the browser. These Set-Cookie headers are of the form

Set-Cookie: value=; path=/; domain=example.com; expires=Thu, 30-Oct-1980 16:00:00 GMT;

i.e with an expiry date well in the past. My understanding is that setting the expiry so far in the past makes it more likely the browser will remove the cookie, obviating clock sync issues.

The problem is that Poco::Net::HTTPCookie doesn't really support such expiry times. The constructor parses the expiry time with

setMaxAge((int) ((exp.timestamp() - now)/Timestamp::resolution()));

which gives a negative maxAge for any time less than 'now'. The problem that then arises is in calling toString() on a cookie created this way with a negative maxAge. HTTPCookie::toString() will only add the "expires" attribute on a cookie if maxAge >= 0 :

if (_maxAge >= 0)
        {
            Timestamp ts;
            ts += _maxAge*Timestamp::resolution();
            result.append("; expires=");
            DateTimeFormatter::append(result, ts, DateTimeFormat::HTTP_FORMAT);
        }

This is in keeping with the HTTPCookie documentation which states that a value of 0 'deletes the cookie on the client'(presumably by setting the expiry to now and hoping that by the time the cookie gets to the browser 'now' is in the past.) and a value of -1 'causes the cookie to never expire on the client', by omitting the expires attribute entirely. However in my case where I am a proxy trying to pass through to my client a Set-Cookie header with an expiry date which produces a negative maxAge value, the expires attribute is removed entirely and the cookie is not deleted on the client as intended.

Test case here : http://pastebin.com/ar21mdL4

I would be more than happy to work on this issue and submit a patch if you give me the green light. My thinking is to refactor HTTPCookie::toString() to check maxAge for being explicitly -1, in which case no expiry information is printed, otherwise for values >=0 and <-1, add the timestamp. There may be a difficulty converting a negative maxAge into a timestamp string but I'm sure I can figure that out. I just wanted to run it by you first in case you think changing the contract and semantics of set/getMaxAge might be needed instead.

[obiltschnig]

From a quick look, changing the test to

if (_maxAge != -1)

should fix the issue, but I'll leave it to you to provide the patch and a proper test case ;-)

[karlr42]

Ok, thanks for the feedback, I agree that should work. I will work on this and submit a pull request with the change and a test case in due course.

[karlr42]

By the way, what would you consider a proper test case? For a version 0 cookie it's straightforward, create cookie with a fixed expiry string indicating a time in the future/past and check that toString() contains the same string. For a version 1 cookie, where the output of toString contains the number of seconds between now and the expiry time, it's tougher, since that number will be different on every test run. I have a test implemented which accounts for this by using relative timestamps(set cookie to expire a year from now, set cookie to expire one year ago from now) and calculating the difference dynamically, which works fine. But it pulls in Poco::DateTime, Poco::Timestamp and friends to do its work. I don't know if you are okay with that in a unit test- I don't have much experience writing unit tests myself.

[aleks-f]

But it pulls in Poco::DateTime, Poco::Timestamp and friends to do its work. I don't know if you are okay with that in a unit test

It's OK since Net already depends on Foundation. Generally speaking, you would not want to introduce a new library dependency (especially not a cyclical type) but a dependency on components from a library that is already a dependency is fine.