[mapserver-dev] Cookies as Params

Even Rouault even.rouault at spatialys.com
Fri Sep 24 12:17:32 PDT 2021


Different options that come to mind:

- as we are the ones in loadParams() to parse HTTP_COOKIE and turn its 
content as ParamValues[]/ParamNames[], we could potentially have a list 
CookieParamNames[] where we'd store those parameter names coming from 
cookies and the OGC API code could use to determine if the parameter 
comes from the query string or not. Parameters coming from cookies could 
then be ignored

- or in OGC API mode, ignore completely HTTP_COOKIE. I'm not sure to 
which extent it is expected that the cookies the client send back to the 
server are considered as query parameters.

- or remove completely that functionality. I guess it is mostly your 
call Steve as I see you're the one who added it in 2003 :-) And looking 
at the docs 
https://github.com/MapServer/MapServer-documentation/search?q=cookie , 
it seems to be undocumented, so probably only a few mortals are aware of 
it. The only reference to cookies is the RFC 42 cookie forwarding 
mechanism, which is something else.  The code in cgiutil.c should just 
be stripped down to the following to keep RFC 42 working (AFAICS ! I'm 
discovering all that stuff when writing this email :-)):

   s = getenv2("HTTP_COOKIE", thread_context);
   if(s != NULL) {
     request->httpcookiedata = msStrdup(s);

- for AJAX jQuery, I've found mentions of the "callback" query parameter 
name. If it is the only one, perhaps we could just silently ignore it, 
assuming it comes from AJAX

- add a "oga_compliant" "true" setting that would be set only when 
running CITE testing where we reject unknown query parameter names. And 
by default / "false", ignore them silently


Le 24/09/2021 à 20:32, Steve Lime a écrit :
> Hi all: MapServer has always treated cookies as parameters. Those 
> values are added to the parameter names and values arrays and are 
> basically just another way to set standard request parameters. This 
> can cause a problem with OGC API specs that require exceptions be 
> generated when unexpected parameters are encountered. Note that 
> standard AJAX use with something like jQuery can also trigger the 
> exception when it tags on params to make calls unique - so there's 
> more to discuss.
> Anyway, it got me wondering if we need to continue to handle cookies 
> at all. I don't see much value and simpler is better but I don't know 
> if others might be using that feature... Thoughts?
> --Steve
> _______________________________________________
> MapServer-dev mailing list
> MapServer-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev

My software is free, but my time generally not.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20210924/c06cd0c5/attachment.html>

More information about the MapServer-dev mailing list