This is the rfc2109 Reference Manual, version 0.4, generated automatically by Declt version 4.0 beta 2 "William Riker" on Sun Dec 15 07:36:26 2024 GMT+0.
The main system appears first, followed by any subsystem dependency.
rfc21090.4
split-sequence (system).
rfc2109.lisp (file).
Files are sorted by type and then listed depth-first from the systems components trees.
rfc2109/rfc2109.asdrfc2109 (system).
output-files (method).
perform (method).
load-file-with-tests (class).
rfc2109/rfc2109.lisprfc2109 (system).
cookie-comment (reader).
(setf cookie-comment) (writer).
cookie-domain (reader).
(setf cookie-domain) (writer).
cookie-max-age (reader).
(setf cookie-max-age) (writer).
cookie-name (reader).
(setf cookie-name) (writer).
cookie-p (function).
cookie-path (reader).
(setf cookie-path) (writer).
cookie-secure (reader).
(setf cookie-secure) (writer).
cookie-string (function).
cookie-string-from-cookie-struct (function).
cookie-value (reader).
(setf cookie-value) (writer).
domain-match-p (function).
make-cookie (function).
parse-cookies (function).
print-object (method).
safe-parse-cookies (function).
*cr* (special variable).
*ht* (special variable).
*lf* (special variable).
attr? (function).
char-el? (function).
cleave-sequence (function).
cookie (structure).
cookie-error (condition).
cookie-string-exceeds-minimum-length (condition).
cookie-string-exceeds-minimum-length-cookie-string (reader method).
cookie-string-too-long? (function).
cookie-warning (condition).
copy-cookie (function).
correct (macro).
crlf-el? (function).
ctl-el? (function).
ensure-pair (function).
invalid-cookie-parameter (condition).
invalid-cookie-parameter-message (reader method).
invalid-cookie-parameter-parameter (reader method).
invalid-cookie-parameter-value (reader method).
lws-el? (function).
octet-el? (function).
optional (macro).
parse-cookies-v1 (function).
parse-cookies-vnetscape (function).
print-cookie (function).
qdtext? (function).
quote-around (function).
quoted-string? (function).
remove-escaped-quotes (function).
remove-quotes-around (function).
split-along-lws (function).
split-along-quoted-lws (function).
text-el? (function).
text? (function).
token-el? (function).
token? (function).
trim-spaces (function).
try-quotes (macro).
tspecial-el? (function).
unparseable-cookie (condition).
unparseable-cookie-cookie-string (reader method).
unparseable-cookie-message (reader method).
unparseable-cookie-version (reader method).
valid-domain? (function).
valid-name? (function).
value? (function).
word? (function).
Packages are listed by definition order.
rfc2109-systemasdf/interface.
common-lisp.
load-file-with-tests (class).
rfc2109This package implements RFC2109 - the original cookie specification. Use it to generate (and eventually parse) cookies in an RFC-compliant way.
common-lisp.
cookie-comment (reader).
(setf cookie-comment) (writer).
cookie-domain (reader).
(setf cookie-domain) (writer).
cookie-max-age (reader).
(setf cookie-max-age) (writer).
cookie-name (reader).
(setf cookie-name) (writer).
cookie-p (function).
cookie-path (reader).
(setf cookie-path) (writer).
cookie-secure (reader).
(setf cookie-secure) (writer).
cookie-string (function).
cookie-string-from-cookie-struct (function).
cookie-value (reader).
(setf cookie-value) (writer).
domain-match-p (function).
make-cookie (function).
parse-cookies (function).
safe-parse-cookies (function).
*cr* (special variable).
*ht* (special variable).
*lf* (special variable).
attr? (function).
char-el? (function).
cleave-sequence (function).
cookie (structure).
cookie-error (condition).
cookie-string-exceeds-minimum-length (condition).
cookie-string-exceeds-minimum-length-cookie-string (generic reader).
cookie-string-too-long? (function).
cookie-warning (condition).
copy-cookie (function).
correct (macro).
crlf-el? (function).
ctl-el? (function).
ensure-pair (function).
invalid-cookie-parameter (condition).
invalid-cookie-parameter-message (generic reader).
invalid-cookie-parameter-parameter (generic reader).
invalid-cookie-parameter-value (generic reader).
lws-el? (function).
octet-el? (function).
optional (macro).
parse-cookies-v1 (function).
parse-cookies-vnetscape (function).
print-cookie (function).
qdtext? (function).
quote-around (function).
quoted-string? (function).
remove-escaped-quotes (function).
remove-quotes-around (function).
split-along-lws (function).
split-along-quoted-lws (function).
text-el? (function).
text? (function).
token-el? (function).
token? (function).
trim-spaces (function).
try-quotes (macro).
tspecial-el? (function).
unparseable-cookie (condition).
unparseable-cookie-cookie-string (generic reader).
unparseable-cookie-message (generic reader).
unparseable-cookie-version (generic reader).
valid-domain? (function).
valid-name? (function).
value? (function).
word? (function).
Definitions are sorted by export status, category, package, and then by lexicographic order.
name.
path.
Creates a cookie named NAME of value VALUE
The returned value is suitable for passing in (request-send-headers request :set-cookie cookie).
NAME, VALUE (strings)
Required. The name of the state information ("cookie") is NAME,
and its value is VALUE. NAMEs that begin with $ are reserved for
other uses and must not be used by applications.
Comment (a string)
Because cookies can contain private information about a
user, the Cookie attribute allows an origin server to document its
intended use of a cookie. The user can inspect the information to
decide whether to initiate or continue a session with this cookie.
Domain (a string)
The Domain attribute specifies the domain for which the
cookie is valid. An explicitly specified domain must always start
with a dot. [ed - this implementation requires an explicitly specified domain!]
Max-Age (a non-negative integer)
The Max-Age attribute defines the lifetime of the
cookie, in seconds. The delta-seconds value is a decimal non-
negative integer. After delta-seconds seconds elapse, the client
should discard the cookie. A value of zero means the cookie
should be discarded immediately.
Path (a string)
The Path attribute specifies the subset of URLs to
which this cookie applies.
NB: Mozilla (pre-Deer-Park), IE, and links all fail with RFC-compliant
PATHs. As such, it is recommended to set the cookie in the root of your
web app’s URI, and not include a path argument.
Secure (true or false)
The Secure attribute directs the user
agent to use only (unspecified) secure means to contact the origin
server whenever it sends back this cookie.
The user agent (possibly under the user’s control) may determine
what level of security it considers appropriate for "secure"
cookies. The Secure attribute should be considered security
advice from the server to the user agent, indicating that it is in
the session’s interest to protect the cookie contents.
corrects-path-p (true or false)
If this is true, PATH will be written as a quoted string, in conformance
with the standard. Otherwise, whatever string is provided to PATH is used.
This may be used to cludge compatibility with current browsers’ broken
handling of the path option.
Given a cookie struct, return an RFC-compliant cookie string
Checks to see if host-a "domain-matches" host-b, per RFC2109
From the RFC:
Hosts names can be specified either as an IP address or a FQHN
string. Sometimes we compare one host name with another. Host A’s
name domain-matches host B’s if
* both host names are IP addresses and their host name strings match
exactly; or
* both host names are FQDN strings and their host name strings match
exactly; or
* A is a FQDN string and has the form NB, where N is a non-empty name
string, B has the form .B’, and B’ is a FQDN string. (So, x.y.com
domain-matches .y.com but not y.com.)
Note that domain-match is not a commutative operation: a.b.c.com domain-matches .c.com, but not the reverse.
Parses cookies in a Cookie: request header, returning a list of COOKIE structs.
The only information that is passed back for each cookie is: name, value, path, domain, so don’t go
looking for comments or the like.
Note that this function does not want the Cookie: portion of the header
So if the request header looked like:
Cookie: $Version=1;
mycookie=value1;
myothercookie=value2
You’d leave off the Cookie: bit at the front.
The other parser is SAFE-PARSE-COOKIES, which is the version to use when you can.
Parse a cookie string (see parse-cookies), but only allow domain cookies that match domain-restriction
RFC 2109 specifies that, in order to avoid a cookie spoofing attack,
one should check that the domain being handed back in your cookie is
the domain you gave out.
A walkthrough of the mechanics:
- If you hand out a cookie with no domain=, then it is restricted to your host
- If you specify a domain, the cookie is "unlocked" for the domain specified
If you don’t expect to use domain cookies, it’s best to ignore all
domain cookies, as they’re not from your website. The default call to
SAFE-PARSE-COOKIES will ignore all domain cookies.
Later on, if you need domain cookies, pass the domains you’ll be using to SAFE-PARSE-COOKIES,
and those specific domains will not be dropped.
RFC text below:
8.2 Cookie Spoofing
Proper application design can avoid spoofing attacks from related
domains. Consider:
1. User agent makes request to victim.cracker.edu, gets back
cookie session_id="1234" and sets the default domain
victim.cracker.edu.
2. User agent makes request to spoof.cracker.edu, gets back
cookie session-id="1111", with Domain=".cracker.edu".
3. User agent makes request to victim.cracker.edu again, and
passes
Cookie: $Version="1";
session_id="1234";
session_id="1111"; $Domain=".cracker.edu"
The server at victim.cracker.edu should detect that the second
cookie was not one it originated by noticing that the Domain
attribute is not for itself and ignore it.
compile-op) (c load-file-with-tests)) ¶asdf/action.
load-file-with-tests)) ¶asdf/action.
Checks to see if slot obeys test, or throws an invalid-cookie-parameter. If test is a simple function name it will be turned into (test slot)
If slot doesn’t match test, try adding quotes around it - if that doesn’t work go to else
Determine if element is an attr
Cleave SEQUENCE into two at the first and mandatory occurrance of SEPARATOR.
True if the cookie string is longer than the minimum cookie size guaranteed to be allowed by the specification
Ensure that the LIST has only two elements, by joining the
elements of the tail with DELIM. Gentle failure: shorter
lists are just returned.
LIST should be a list of strings.
Parses RFC2109 cookies - do not use directly
Parses old netscape-style cookies
Prints an aesthetic representation of COOKIE to STREAM. Note that this is *not* the equivalent of COOKIE-STRING-FROM-COOKIE-STRUCT. As such, it explicity prints an invalid cookie.
Adds quotes around a string
If there are quotes, remove them
Chops up a string along linear whitespace, returns a list
Chops up a string along linear whitespace, but this version knows about quote marks
Verifies that NAME is a valid name
Determine if element is a value
Determine if element is a word
cookie-string-exceeds-minimum-length)) ¶invalid-cookie-parameter)) ¶invalid-cookie-parameter)) ¶invalid-cookie-parameter)) ¶unparseable-cookie)) ¶unparseable-cookie)) ¶unparseable-cookie)) ¶error.
:cookie-string
This slot is read-only.
warning.
:parameter
This slot is read-only.
:value
This slot is read-only.
(quote nil)
:message
This slot is read-only.
Condition returned when all parsing attempts have failed.
Cookie struct - useful for manipulating cookie values. Please note that just because it’s a valid cookie structure doesn’t mean that it’s a valid cookie. See documentation for COOKIE-STRING for parameter information.
structure-object.
string
""
string
""
(or string null)
(or string null)
(or (integer 0) null)
(or string null)
boolean
cl-source-file.
| Jump to: | (
A C D E F G I L M O P Q R S T U V W |
|---|
| Jump to: | (
A C D E F G I L M O P Q R S T U V W |
|---|
| Jump to: | *
C D M N P S V |
|---|
| Jump to: | *
C D M N P S V |
|---|
| Jump to: | C F I L P R S U |
|---|
| Jump to: | C F I L P R S U |
|---|