[mapserver-dev] Call for comments - RFC 42 HTTP Cookie Forwarding
Daniel Morissette
dmorissette at mapgears.com
Thu Mar 27 18:03:24 EDT 2008
Julien-Samuel Lacroix wrote:
>
> - Cookie passing should be done by the webserver, but since we connect
> directly to a WMS server we have to handle it in MapServer.
>
And my response to this was:
"MapServer has the ability to connect to remote WMS and WFS services to
allow users to transparently include data from remote OGC services in
their apps... I don't think this is webserver stuff... this is simply
the use of a protocol to access data that happens to use HTTP, but the
fact that it uses HTTP doesn't mean it's webserver stuff... actually
Apache would not know what to do with OGC services... only specialized
software like MapServer, Open Layers, etc knows enough to use them"
... and FrankW also wrote:
"I don't see how else authentication can be passed through for cascaded
layers."
... which really solves the question better than I did.
> - There's no mention of encoding in the RFC. I should add a mention to
> warn MapScript users that they should encode their end-of-line and
> double-quote characters to make sure they don't screw up their mapfile
> when saving it on disc. For a CGI request, it shouldn't be a problem
> since we don't save the file after we set the cookie. Is that enough?
>
I had a look at the RFCs relating to HTTP and state info (cookies) and
could not find anything specific about the permitted chars in HTTP headers.
Clearly the newline is the character that could screw things up since
that's the delimiter of HTTP headers. It seems that a safe test would be
to check that the cookie data contains only chars in the ASCII printable
range, i.e. from ASCII 32 to 126. If any of those chars is found in the
cookie metadata then produce a fatal error... that should never happen
under normal use anyway.
> - Putting processing values in a metadata (http_cookie_data) may be
> going to far. The other alternative would be to add a mapfile
> configuration parameter called HTTPCOOKIE that would be used to store
> the cookie data. I would like to hear from others on that specific point?
>
I am also worried that the use of the metadata 'http_cookie_data' to
store state information is a poor use of metadata. We could possibly
move that to an httpcookie member in the mapObj, but I would definitely
not expose it to the mapfile. Since that's state information that does
not belong in the mapfile... only the CGI and mapscript need access to it.
Another idea could be to add an applicationStateObj in the mapObj that
could be used to store application state information (like those
cookies, and also resultCache, labelCache, etc.)... however that is
behyond the scope of the current RFC.
Daniel
--
Daniel Morissette
http://www.mapgears.com/
More information about the mapserver-dev
mailing list