[CLUE-Tech] PHP Sessions and Cookies: Brain Cramp

Keith Hellman kehellman at yahoo.com
Sun Oct 13 01:48:15 MDT 2002 

On Sat, Oct 12, 2002 at 10:45:24PM -0600, Jed S. Baer wrote:
> On Sat, 12 Oct 2002 22:07:07 -0600
> Matt Gushee <mgushee at havenrock.com> wrote:
> 
> > On Sat, Oct 12, 2002 at 09:42:51PM -0600, Jeffery Cann wrote:
> > > 
> > > Finally, when I wonder about cookies, I will telnet to my web box and
> > > do a GET on the URL, so I can view the headers outside of the browser.
> > > 
> > > $ telnet www.yourserver.com 80
> > > GET /jed/login.php
> > 
> > Whoa, now that is cool! I had no idea you could do that with Telnet.
> > Certainly useful; however, I just tried it on my Web site, and the
> > server returned the document at the requested URL, but no headers. Are
> > there any command options or environment variables that might affect
> > that?
> 
> Interestingly enough, the telnet method on my machine also doesn't display
> any of the headers, unlike the HEAD command (yes, it's and all upcase
> command, to distinguish it from head). Also use 'lynx -mime-header URL'.
> 

All right, wait a minute - before we start flinging commands into
web servers, can we first get the protocol straight.

The correct syntax for GET is:  "GET PATH VERSION\r\n\r\n".  This
returns headers.  If you use GET like this:  "GET PATH\r\n\r\n", then
many web servers will simply return the document contents, without any
HTTP headers, which is where cookies live.  My impression is that this
is incorrect since the HTTP requires and allows only the GET PATH
VERSION syntax for a request.

All this is in RFC2068, search for the first occurance of CRLF.

Note that I abuse the HTTP protocol myself by just using newline
termination, when it should actually be \r\n.

<terminal log>
khellman$ printf "GET / HTTP/1.0\n\n" |netcat www.yahoo.com 80 >correct
khellman$ printf "GET /\n\n" |netcat www.yahoo.com 80 >incorrect
khellman$ head correct
HTTP/1.1 200 OK
Date: Sun, 13 Oct 2002 06:51:55 GMT
Cache-Control: private
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close
Content-Type: text/html
khellman$ printf "GET / HTTP/1.0\n\n" |netcat www.yahoo.com -p 80 >correct
no port[s] to connect to
khellman$ printf "GET / HTTP/1.0\n\n" |netcat www.yahoo.com 80 >correct
khellman$ printf "GET /\n\n" |netcat www.yahoo.com 80 >incorrect
khellman$ head correct
HTTP/1.1 200 OK
Date: Sun, 13 Oct 2002 06:51:55 GMT
Cache-Control: private
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close
Content-Type: text/html

<html>
<head>

khellman$ head incorrect
<html>
<head>

<title>Yahoo!</title>
<script language=javascript><!--
lck='',sss=1034491929;//--></script>
<script language=javascript>
var b,d,i,l='',n='0',r,s,y,x;
y=' '+document.cookie+';';
if ((b=y.indexOf(' Y=v'))>=0) {
khellman$ 
</terminal log>


<html>
<head>

khellman$ head incorrect
<html>
<head>

<title>Yahoo!</title>
<script language=javascript><!--
lck='',sss=1034491929;//--></script>
<script language=javascript>
var b,d,i,l='',n='0',r,s,y,x;
y=' '+document.cookie+';';
if ((b=y.indexOf(' Y=v'))>=0) {
khellman$

More information about the clue-tech mailing list