[mapserver-dev] Cookies as Params

Basques, Bob (CI-StPaul) bob.basques at ci.stpaul.mn.us
Fri Sep 24 13:54:03 PDT 2021


I’ve used this in the past for some standalone embedded package mobile stuff (also for authentication).   I don’t recall ever reading any doc’s on it either and discovered that it worked accidentally at the time.

50/50 on it now, but I would think that this might be in use more than generally thought.  So if the functionality can be preserved, also documentation might make it useful/more useful in general as a feature/tool.


From: MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> on behalf of Even Rouault <even.rouault at spatialys.com>
Date: Friday, September 24, 2021 at 2:26 PM
To: Steve Lime <sdlime at gmail.com>, "mapserver-dev at lists.osgeo.org" <mapserver-dev at lists.osgeo.org>
Subject: Re: [mapserver-dev] Cookies as Params

Think Before You Click: This email originated outside our organization.


Different options that come to mind:

- as we are the ones in loadParams() to parse HTTP_COOKIE and turn its content as ParamValues[]/ParamNames[], we could potentially have a list CookieParamNames[] where we'd store those parameter names coming from cookies and the OGC API code could use to determine if the parameter comes from the query string or not. Parameters coming from cookies could then be ignored

- or in OGC API mode, ignore completely HTTP_COOKIE. I'm not sure to which extent it is expected that the cookies the client send back to the server are considered as query parameters.

- or remove completely that functionality. I guess it is mostly your call Steve as I see you're the one who added it in 2003 :-) And looking at the docs https://github.com/MapServer/MapServer-documentation/search?q=cookie , it seems to be undocumented, so probably only a few mortals are aware of it. The only reference to cookies is the RFC 42 cookie forwarding mechanism, which is something else.  The code in cgiutil.c should just be stripped down to the following to keep RFC 42 working (AFAICS ! I'm discovering all that stuff when writing this email :-)):

  s = getenv2("HTTP_COOKIE", thread_context);
  if(s != NULL) {
    request->httpcookiedata = msStrdup(s);

- for AJAX jQuery, I've found mentions of the "callback" query parameter name. If it is the only one, perhaps we could just silently ignore it, assuming it comes from AJAX

- add a "oga_compliant" "true" setting that would be set only when running CITE testing where we reject unknown query parameter names. And by default / "false", ignore them silently

Le 24/09/2021 à 20:32, Steve Lime a écrit :
Hi all: MapServer has always treated cookies as parameters. Those values are added to the parameter names and values arrays and are basically just another way to set standard request parameters. This can cause a problem with OGC API specs that require exceptions be generated when unexpected parameters are encountered. Note that standard AJAX use with something like jQuery can also trigger the exception when it tags on params to make calls unique - so there's more to discuss.

Anyway, it got me wondering if we need to continue to handle cookies at all. I don't see much value and simpler is better but I don't know if others might be using that feature... Thoughts?



MapServer-dev mailing list

MapServer-dev at lists.osgeo.org<mailto:MapServer-dev at lists.osgeo.org>




My software is free, but my time generally not.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20210924/9e438ab8/attachment-0001.html>

More information about the MapServer-dev mailing list