[mj@digicool.com: Re: [Zope-dev] Bug in Zope VersionControl]

Martijn Pieters mj@digicool.com
Fri, 8 Jun 2001 14:12:39 +0200 

(Could we please keep the list in the loop for both wider discussion and
archiving?)

On Fri, Jun 08, 2001 at 01:43:29PM +0200, Christian Theune wrote:
> > REQUEST['SCRIPT_NAME'] is the root of the Zope server. In a pure ZServer
> > environment, this is '/'. In a situation where the Zope server is running
> > behind another webserver, and is not at the root of that server,
> > SCRIPT_NAME represents the path to the Zope server.
> > 
> > For instance, if your Zope server is presented to the outside world as
> > 'http://a.server.com/a/path/to/zope/' then SCRIPT_NAME will be
> > '/a/path/to/zope/', whereever you are in the Zope object hierarchy.
> > 
> > Thus, a version cookie is bound to the root of the Zope server. In your
> > case, it seems that Opera is ignoring the cookie path altogether, and
> > instead falls back on the default, which is the path of the Version object
> > itself.
> 
> Okay. I have something for you.
> 
> The REQUEST['SCRIPT_NAME'] is '' on my server. Could it be that - if zope
> is on the root - it SHOULD be '/' but is ''?

You are correct, SCRIPT_NAME is indeed '' in ZServer situations. However,
see below.

> Then per RFC it should be the location of the request (in this case 
> http://localhost:8080/asdf, where asdf is the version).

The RFC is silent about this. Note that there are two specifications that
may apply. One is the original Netscape specification, the other is RFC
2109:

  http://www.netscape.com/newsref/std/cookie_spec.html
  http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2109.html

There is also a RFC2965 which defines a new 'Set-Cookie2' header with a
new syntax.

Neither RFC 2109 nor the Netscape spec specify what happens when a
'path=;' cookie is sent, they only specify what happens if the path
attribute is absent.

The fact that we set an empty path attribute is thus confusing and we
should avoid this.

> IE and Netscape poorely ignore the path, but Opera restricts the cookie
> to the location of the Version.

IE and Netscape have decided that in that case the server must have ment
to say 'path=/;', while Opera chooses to interpret it the same way as an
omitted path attribute.

> Probably you want to check:
> 
> if REQUEST['SCRIPT_NAME']=='':
> 	REQUEST['SCRIPT_NAME']='/'
> 
> wherever this variable is created ...
> ???

I think we want to use:

  RESPOSE.setCookie(....
      path=(REQUEST['SCRIPT_NAME'] or '/'))

Could you file a bug in the Bug Collector at:

  http://classic.zope.org:8080/Collector

Thanks!

-- 
Martijn Pieters
| Software Engineer  mailto:mj@digicool.com
| Digital Creations  http://www.digicool.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------