2

I'm looking to implement a straightforward method to check if a given cookie domain domain-matches a given hostname.

To do this I will be implementing the domain matching conditions defined in section 5.1.3 of RFC 6265.

The second of the two matching conditions defined is a multipart condition where three sub-conditions apply:

All of the following conditions hold:

  • The domain string is a suffix of the string.
  • The last character of the string that is not included in the domain string is a %x2E (".") character.
  • The string is a host name (i.e., not an IP address).

For clarity, when the above quoted text refers to "the string" it is referring to the domain value of a cookie and when the above quoted text refers to "the domain name" it is referring to the domain name of a host to which cookies might be sent.

Of these three sub-conditions, the first and third are quite clear. It is the wording of the second that I am finding confusing.

I do know that a cookie domain of "example.com" matches only "example.com" and a cookie domain of ".example.com" matches "<anything>.example.com". My best guess is that above second sub-condition if referring to this broad subdomain matching concept, however given the wording I can't be sure.

Is anyone able to translate this second sub-condition into plain technical English?

Charles
  • 48,924
  • 13
  • 96
  • 136
Jon Cram
  • 15,309
  • 21
  • 72
  • 105

2 Answers2

1

I have also struggled a lot when trying to understand that particular condition. After the fifteenth read I noticed that I wasn't paying attention to the key words. Quoting (and emphasizing):

  • The last character of the string THAT IS NOT INCLUDED in the domain string is a %x2E (".") character.

So I believe the following Python 3 implementation would be compliant to the RFC:

import ipaddress

def domain_matches (string: str, domain_string: str) -> bool:
    string = string.lower()
    domain_string = domain_string.lower()
    try:
        ipaddress.ip_address(string)
        is_host = False
    except ValueError:
        is_host = True
    return (
        string == domain_string
        or
        (string.endswith(domain_string)
         and
         string[-(len(domain_string) + 1)] == "."
         and
         is_host)
    )

The ipaddress bit is to be fully pedantic. However, for my use case I omitted it.

C2H5OH
  • 5,031
  • 2
  • 23
  • 38
0

According to section 4.1.2.3 of RFC 6265

For example, if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.)

So the logic would be: 

1. check targetString endsWith domain
2. check lastChar(targetString) != "."
3. check targetString is host name
C. Lin
  • 29
  • 3