Viraj's Weblog

I think I found a bug in how Safari 1.3.1 is handling cookies.

I've setup Trac, which is a nice Python wiki/bugtracker for a client. There are multiple projects setup, and each has its own authentication via htpasswd. The problem I'm having is when I login to one project, I can't login to the other project without logging out of the previous project. I described the problem fully on this bug posting.

Trac uses a trac_auth cookie to keep track of authentication. It has a specified path associated with it, so it's perfectly ok to have multiple trac_auth cookies for the same site and separate authentications for each. But this is simply not working with Safari. Firefox works fine with this. I have 2 projects setup, one with path /projects/splash and another with path /projects/splash_old. I started looking at some tcpdumps to see what Safari is sending. I noticed that when I tried logging into the 2nd project after logging into the 1st one, Safari sent:

Cookie: trac_auth=36b8db01607d7ab36506ad97d38196b3; trac_auth=eb167bd6b57b7a5dae9a3dee48ef13b2

Note the 2 cookies with the same name. There is only one cookie that is supposed to be associated with the path I'm going to (/projects/splash_old) so I don't understand how it could send 2. The cookie specification states that a client may send multiple values of the same cookie if the cookies are part of a parent path. But /projects/splash is not the parent of /projects/splash_old. Or am I missing something? It seems Safari is incorrectly making this assumption.

Looking at a tcpdump of Firefox shows it only sending one trac_auth cookie for the 2nd project and it works fine. Firefox also correctly shows 2 trac_auth cookies in the cookie browser, one associated with each path (/projects/splash and /projects/splash_old), whereas in Safari I could only see one.

Update: I created some simple scripts to reproduce this. Go to this page which will set 2 cookies. One cookie will be for test.php and another for test.php_notpath.php. Clearly the second php script is not a child of the first one. If you follow the link, you should see HTTP_COOKIE only having one value for SafariCookieBug because the resulting page is not a child page. That's how Firefox behaves, but Safari 1.3.1 shows 2 values.

Update: Well I found out that IE behaves like Safari. So maybe this is not a bug after all.

Update: Deeper into the rabbit hole I go. It turns out Trac uses the Python Cookie module, which doesn't have support for multiple cookies with the same name. It uses a dictionary to store the data. I'll probably make some changes to Trac to get it working, but I submitted a Python bug report.