[mapserver-dev] Call for comments - RFC 42 HTTP Cookie Forwarding

Daniel Morissette dmorissette at mapgears.com
Thu Mar 27 18:03:24 EDT 2008 

Julien-Samuel Lacroix wrote:
> 
> - Cookie passing should be done by the webserver, but since we connect 
> directly to a WMS server we have to handle it in MapServer.
> 

And my response to this was:

"MapServer has the ability to connect to remote WMS and WFS services to 
allow users to transparently include data from remote OGC services in 
their apps... I don't think this is webserver stuff... this is simply 
the use of a protocol to access data that happens to use HTTP, but the 
fact that it uses HTTP doesn't mean it's webserver stuff... actually 
Apache would not know what to do with OGC services... only specialized 
software like MapServer, Open Layers, etc knows enough to use them"

... and FrankW also wrote:

"I don't see how else authentication can be passed through for cascaded 
layers."

... which really solves the question better than I did.


> - There's no mention of encoding in the RFC. I should add a mention to 
> warn MapScript users that they should encode their end-of-line and 
> double-quote characters to make sure they don't screw up their mapfile 
> when saving it on disc. For a CGI request, it shouldn't be a problem 
> since we don't save the file after we set the cookie. Is that enough?
> 

I had a look at the RFCs relating to HTTP and state info (cookies) and 
could not find anything specific about the permitted chars in HTTP headers.

Clearly the newline is the character that could screw things up since 
that's the delimiter of HTTP headers. It seems that a safe test would be 
to check that the cookie data contains only chars in the ASCII printable 
range, i.e. from ASCII 32 to 126. If any of those chars is found in the 
cookie metadata then produce a fatal error... that should never happen 
under normal use anyway.


> - Putting processing values in a metadata (http_cookie_data) may be 
> going to far. The other alternative would be to add a mapfile 
> configuration parameter called HTTPCOOKIE that would be used to store 
> the cookie data. I would like to hear from others on that specific point?
> 

I am also worried that the use of the metadata 'http_cookie_data' to 
store state information is a poor use of metadata. We could possibly 
move that to an httpcookie member in the mapObj, but I would definitely 
not expose it to the mapfile. Since that's state information that does 
not belong in the mapfile... only the CGI and mapscript need access to it.

Another idea could be to add an applicationStateObj in the mapObj that 
could be used to store application state information (like those 
cookies, and also resultCache, labelCache, etc.)... however that is 
behyond the scope of the current RFC.

Daniel
-- 
Daniel Morissette
http://www.mapgears.com/

More information about the mapserver-dev mailing list