[Zope] cookies and paths?

[KevinL]

On Wed, 2002-08-21 at 12:41, Quentin Smith wrote:
> Hi-
> I'm not sure if this is a bug or not. You should read up on the cookie 
> spec at http://www.netscape.com/newsref/std/cookie_spec.html. I believe 
> that a more-specific path will mask a more general path. However, I do 
> not know if it is possible to send two Set-cookie headers with the same 
> name in the same response.

Interesting.  According to that document, cookies sent back don't
include the path - they include the name and the value, and are ordered
most-specific to least-specific path, but they don't actually say
per-cookie what path the cookie has.  By my reckoning, that'd make it
very difficult for Zope to work out which cookie should have which
value, if they have the same name but different paths.

Looks like it should be doable, in theory, but is a bad idea(tm).  More
specifically, setting two cookies with different paths should be fine
according to the spec, but coming back you can't see the path so they're
just going to override each other, and most specific will win - you
don't get to see both cookies, just the most specific one, even though
both have been sent.  Zope doesn't differentiate on setCookie, so you
can't set two cookies with the same name but different paths in the same
request.

I think Zope's handling of cookies is possibly a little bit incorrect,
in that most specific overrides the value of least-specific rather than
both being presented for the app, but as the path isn't presented with
the cookie, I can't see a nice way around it.  Given that, not allowing
the setting of multiple same-named cookies at once is probably not such
a bad thing.

I've moved all my cookies up to path='/', and will code in better
handling for incorrect cookies.  What's the proper place to document
this cookie behaviour/where should I have looked to find info about
this/where can I write something up as a reference for others?

KJL