Viraj's Weblog

Is it me, or is Sourceforge getting extremely ugly and impossible to navigate? The place is filled with tons of ads and dumb Yahoo search results everywhere. What's worse is the ads and unrelated stuff looks exactly the same as the rest of the page and it is hard to dilineate ads from useful content. I guess that is their goal. For some reason, whenever I go to Sourceforge it feels like I gain 20 pounds.

I think I found a bug in how Safari 1.3.1 is handling cookies.

I've setup Trac, which is a nice Python wiki/bugtracker for a client. There are multiple projects setup, and each has its own authentication via htpasswd. The problem I'm having is when I login to one project, I can't login to the other project without logging out of the previous project. I described the problem fully on this bug posting.

Trac uses a trac_auth cookie to keep track of authentication. It has a specified path associated with it, so it's perfectly ok to have multiple trac_auth cookies for the same site and separate authentications for each. But this is simply not working with Safari. Firefox works fine with this. I have 2 projects setup, one with path /projects/splash and another with path /projects/splash_old. I started looking at some tcpdumps to see what Safari is sending. I noticed that when I tried logging into the 2nd project after logging into the 1st one, Safari sent:

Cookie: trac_auth=36b8db01607d7ab36506ad97d38196b3; trac_auth=eb167bd6b57b7a5dae9a3dee48ef13b2

Note the 2 cookies with the same name. There is only one cookie that is supposed to be associated with the path I'm going to (/projects/splash_old) so I don't understand how it could send 2. The cookie specification states that a client may send multiple values of the same cookie if the cookies are part of a parent path. But /projects/splash is not the parent of /projects/splash_old. Or am I missing something? It seems Safari is incorrectly making this assumption.

Looking at a tcpdump of Firefox shows it only sending one trac_auth cookie for the 2nd project and it works fine. Firefox also correctly shows 2 trac_auth cookies in the cookie browser, one associated with each path (/projects/splash and /projects/splash_old), whereas in Safari I could only see one.

Update: I created some simple scripts to reproduce this. Go to this page which will set 2 cookies. One cookie will be for test.php and another for test.php_notpath.php. Clearly the second php script is not a child of the first one. If you follow the link, you should see HTTP_COOKIE only having one value for SafariCookieBug because the resulting page is not a child page. That's how Firefox behaves, but Safari 1.3.1 shows 2 values.

Update: Well I found out that IE behaves like Safari. So maybe this is not a bug after all.

Update: Deeper into the rabbit hole I go. It turns out Trac uses the Python Cookie module, which doesn't have support for multiple cookies with the same name. It uses a dictionary to store the data. I'll probably make some changes to Trac to get it working, but I submitted a Python bug report.