Ignore invalid cookies instead of throwing an exception

Hey there… currently we noticed a lot of exceptions form invalid cookie names. I’m not really sure where this cookies came from, but I think flow shouldn’t throw an exception but instead simply ignore the invalid cookie.

At the moment, you can break every flow /neos site by simply executing this line in the js console:

document.cookie = 'torstens[fakecookie]=123'

Also I found no way to avoid this exception because every involved class has @flow\proxy(false) so AOP is not an option. Currently I’ve fixed this error by filtering $_SERVER['HTTP_COOKIE'] inside my Package.php file, but this should not be the way.

What do you think?

Hi Torsten,

Can you copy/paste a backtrace of such exception ? Just to get a clear view of, where and which exception is thrown?

@sorenmalling … i’ve also seen this effect already … this happens because the constructor of the cookie class here https://github.com/neos/flow-development-collection/blob/master/Neos.Flow/Classes/Http/Cookie.php#L103 is very strict regarding the RFC for cookie names. I remember a discusssion a while ago that resulted in the conclusion that it might be a good idea to ignore this check in certain cases.

Hey, I’ve created a pull request that ignores every invalid cookie name: https://github.com/neos/flow-development-collection/pull/971

It’s a tough thing. There is a RFC, a standard for how cookies should look like, if you don’t stick to it, you do it wrong and the system should tell you, so from that perspective the exception is perfectly fine. Just ignoring the cookie will lead to people wondering where their cookie is gone, so we should at least log that incident IF we want to ignore it.

1 Like

Personally in favor of not throwing exceptions in production context for this, but rather log the exception in that case. That’s done in other cases in Flow as well.

1 Like

@christianm we use neos as some sort of hub that is the homepage of a lot of other systems (some flow, some wordpress) and all of those systems come with their own dependencies and own frontend (javascript) extensions. So this exception is not caused by us directly or by bad coding. Any js code can set a invalid cookie… and by that bring the whole system down.

I don’t really understand your point, because this pull request https://github.com/neos/flow-development-collection/pull/144 does nearly the same thing as mine: Ignoring without logging.

I’ll change my pull request so that it will pass the tests.

Fair enough, I guess I learned. I am not really sure, just playing it safe, I would love input from @kdambekalns or @robert on this matter.

I’d also vote vor logging in Production instead of an throwing an Exception!

An important thing to note is that this does not only happen between the frontend and flow. I had trouble once by communicating with a custom backend that used some none-standard cookies. We luckily could solve this by explaining the cookie-rfc to the vendor of that system but it was pure luck that it was that easy.

In total i think flow should be able to talk to partners who are lazy with cookies and at least not fail.

1 Like

Yeah, fine with logging those cases in production.