<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Steve,</p>
<p>Different options that come to mind:</p>
<p>- as we are the ones in loadParams() to parse HTTP_COOKIE and
turn its content as ParamValues[]/ParamNames[], we could
potentially have a list CookieParamNames[] where we'd store those
parameter names coming from cookies and the OGC API code could use
to determine if the parameter comes from the query string or not.
Parameters coming from cookies could then be ignored</p>
<p>- or in OGC API mode, ignore completely HTTP_COOKIE. I'm not sure
to which extent it is expected that the cookies the client send
back to the server are considered as query parameters.</p>
<p>- or remove completely that functionality. I guess it is mostly
your call Steve as I see you're the one who added it in 2003 :-)
And looking at the docs
<a class="moz-txt-link-freetext" href="https://github.com/MapServer/MapServer-documentation/search?q=cookie">https://github.com/MapServer/MapServer-documentation/search?q=cookie</a>
, it seems to be undocumented, so probably only a few mortals are
aware of it. The only reference to cookies is the RFC 42 cookie
forwarding mechanism, which is something else. The code in
cgiutil.c should just be stripped down to the following to keep
RFC 42 working (AFAICS ! I'm discovering all that stuff when
writing this email :-)):<br>
</p>
<p> s = getenv2("HTTP_COOKIE", thread_context);<br>
if(s != NULL) {<br>
request->httpcookiedata = msStrdup(s);<br>
}<br>
</p>
<p>- for AJAX jQuery, I've found mentions of the "callback" query
parameter name. If it is the only one, perhaps we could just
silently ignore it, assuming it comes from AJAX</p>
<p>- add a "oga_compliant" "true" setting that would be set only
when running CITE testing where we reject unknown query parameter
names. And by default / "false", ignore them silently<br>
</p>
<p>Even<br>
</p>
<div class="moz-cite-prefix">Le 24/09/2021 à 20:32, Steve Lime a
écrit :<br>
</div>
<blockquote type="cite"
cite="mid:CAMrKZ9-o+wL8Q4wx_taMpSY6L4D9CsA1gx+LHfaSwn+BtN_2yQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi all: MapServer has always treated cookies as
parameters. Those values are added to the parameter names and
values arrays and are basically just another way to set standard
request parameters. This can cause a problem with OGC API specs
that require exceptions be generated when unexpected parameters
are encountered. Note that standard AJAX use with something like
jQuery can also trigger the exception when it tags on params to
make calls unique - so there's more to discuss.
<div><br>
</div>
<div>Anyway, it got me wondering if we need to continue to
handle cookies at all. I don't see much value and simpler is
better but I don't know if others might be using that
feature... Thoughts?</div>
<div><br>
</div>
<div>--Steve </div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
MapServer-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:MapServer-dev@lists.osgeo.org">MapServer-dev@lists.osgeo.org</a>
<a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev">https://lists.osgeo.org/mailman/listinfo/mapserver-dev</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
<a class="moz-txt-link-freetext" href="http://www.spatialys.com">http://www.spatialys.com</a>
My software is free, but my time generally not.</pre>
</body>
</html>