[mapserver-dev] Cookies as Params

Seth G sethg at geographika.co.uk
Sat Sep 25 02:45:55 PDT 2021 

Hi Steve,

I'm also using the cookie as parameter approach in a project - an authentication token can be passed along with the request and then used as a runtime substitution parameter to add access security to certain layers. Approach was thanks to Mike at 2am at a bar in Bucharest..!

Even's approach of adding these to a CookieParamNames[] sounds the nicest approach, but I'd imagine also the hardest to implement. 

I would be in favour of removing the check for additional parameters completely, but I understand the rationale of wanting to avoid clients thinking they are requesting something they are not as explained at https://stackoverflow.com/questions/20526784/restful-api-correct-behaviour-when-spurious-not-requested-parameters-are-passe/20686925#20686925

Most JS frameworks allow disabling "cache-busting" parameters. I also like Even's option of "oga_compliant" "true". Maybe have it true by default and allow it to be set to false to allow any additional parameters - querystring or cookie?

Seth

--
web:http://geographika.co.uk
twitter: @geographika


On Fri, Sep 24, 2021, at 10:54 PM, Basques, Bob (CI-StPaul) wrote:
> Steve,
>  
> I’ve used this in the past for some standalone embedded package mobile stuff (also for authentication).   I don’t recall ever reading any doc’s on it either and discovered that it worked accidentally at the time.
>  
> 50/50 on it now, but I would think that this might be in use more than generally thought.  So if the functionality can be preserved, also documentation might make it useful/more useful in general as a feature/tool.
>  
> Bobb
>  
>  
>  
> *From: *MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> on behalf of Even Rouault <even.rouault at spatialys.com>
> *Date: *Friday, September 24, 2021 at 2:26 PM
> *To: *Steve Lime <sdlime at gmail.com>, "mapserver-dev at lists.osgeo.org" <mapserver-dev at lists.osgeo.org>
> *Subject: *Re: [mapserver-dev] Cookies as Params
>  
> *Think Before You Click: *This email originated *outside *our organization.
>  
> Steve,
> 
> Different options that come to mind:
> 
> - as we are the ones in loadParams() to parse HTTP_COOKIE and turn its content as ParamValues[]/ParamNames[], we could potentially have a list CookieParamNames[] where we'd store those parameter names coming from cookies and the OGC API code could use to determine if the parameter comes from the query string or not. Parameters coming from cookies could then be ignored
> 
> - or in OGC API mode, ignore completely HTTP_COOKIE. I'm not sure to which extent it is expected that the cookies the client send back to the server are considered as query parameters.
> 
> - or remove completely that functionality. I guess it is mostly your call Steve as I see you're the one who added it in 2003 :-) And looking at the docs https://github.com/MapServer/MapServer-documentation/search?q=cookie , it seems to be undocumented, so probably only a few mortals are aware of it. The only reference to cookies is the RFC 42 cookie forwarding mechanism, which is something else.  The code in cgiutil.c should just be stripped down to the following to keep RFC 42 working (AFAICS ! I'm discovering all that stuff when writing this email :-)):
> 
> 
>   s = getenv2("HTTP_COOKIE", thread_context);
>   if(s != NULL) {
>     request->httpcookiedata = msStrdup(s);
>   }
> 
> - for AJAX jQuery, I've found mentions of the "callback" query parameter name. If it is the only one, perhaps we could just silently ignore it, assuming it comes from AJAX
> 
> - add a "oga_compliant" "true" setting that would be set only when running CITE testing where we reject unknown query parameter names. And by default / "false", ignore them silently
> 
> Even
> 
> Le 24/09/2021 à 20:32, Steve Lime a écrit :
>> Hi all: MapServer has always treated cookies as parameters. Those values are added to the parameter names and values arrays and are basically just another way to set standard request parameters. This can cause a problem with OGC API specs that require exceptions be generated when unexpected parameters are encountered. Note that standard AJAX use with something like jQuery can also trigger the exception when it tags on params to make calls unique - so there's more to discuss.
>>  
>> Anyway, it got me wondering if we need to continue to handle cookies at all. I don't see much value and simpler is better but I don't know if others might be using that feature... Thoughts?
>>  
>> --Steve 
>> 
>> 
>> _______________________________________________
>> MapServer-dev mailing list
>> MapServer-dev at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
> -- 
> http://www.spatialys.com
> My software is free, but my time generally not.
> _______________________________________________
> MapServer-dev mailing list
> MapServer-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20210925/f925cff7/attachment.html>

More information about the MapServer-dev mailing list