From: Noirin Plunkett <noirin@apache.org>
Date: Sun, 18 Jun 2006 22:00:34 +0000 (+0000)
Subject: Backports of mod_usertrack fixes
X-Git-Tag: 2.0.59~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c63baab8808573e5c870fb4338fee215d14eecab;p=thirdparty%2Fapache%2Fhttpd.git

Backports of mod_usertrack fixes


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@415205 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_usertrack.html.en b/docs/manual/mod/mod_usertrack.html.en
index c2ec23adb95..d64ec460211 100644
--- a/docs/manual/mod/mod_usertrack.html.en
+++ b/docs/manual/mod/mod_usertrack.html.en
@@ -130,7 +130,21 @@ time late in the year "37".
 
     <p>The domain string <strong>must</strong> begin with a dot, and
     <strong>must</strong> include at least one embedded dot. That is,
-    ".foo.com" is legal, but "foo.bar.com" and ".com" are not.</p>
+    <code>.foo.com</code> is legal, but <code>foo.bar.com</code> and
+    <code>.com</code> are not.</p>
+
+    <div class="note">Most browsers in use today will not allow cookies to be set
+    for a two-part top level domain, such as <code>.co.uk</code>,
+    although such a domain ostensibly fulfills the requirements
+    above.<br />
+
+    These domains are equivalent to top level domains such as
+    <code>.com</code>, and allowing such cookies may be a security
+    risk. Thus, if you are under a two-part top level domain, you
+    should still use your actual domain, as you would with any other top
+    level domain (for example, use <code>.foo.co.uk</code>).
+    </div>
+
 
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
@@ -204,7 +218,8 @@ time late in the year "37".
 
     <p>Not all clients can understand all of these formats. but you
     should use the newest one that is generally acceptable to your
-    users' browsers.</p>
+    users' browsers. At the time of writing, most browsers only fully
+    support <code>CookieStyle Netscape</code>.</p>
 
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
@@ -218,12 +233,13 @@ time late in the year "37".
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_usertrack</td></tr>
 </table>
-    <p>When the user track module is compiled in, and
-    "CookieTracking on" is set, Apache will start sending a
+    <p>When <code class="module"><a href="../mod/mod_usertrack.html">mod_usertrack</a></code> is loaded, and
+    <code>CookieTracking on</code> is set, Apache will send a
     user-tracking cookie for all new requests. This directive can
     be used to turn this behavior on or off on a per-server or
-    per-directory basis. By default, compiling mod_usertrack will
-    not activate cookies. </p>
+    per-directory basis. By default, enabling
+    <code class="module"><a href="../mod/mod_usertrack.html">mod_usertrack</a></code> will <strong>not</strong>
+    activate cookies. </p>
 
 
 </div>
diff --git a/docs/manual/mod/mod_usertrack.xml b/docs/manual/mod/mod_usertrack.xml
index 31eace67869..97777cde800 100644
--- a/docs/manual/mod/mod_usertrack.xml
+++ b/docs/manual/mod/mod_usertrack.xml
@@ -122,7 +122,21 @@ time late in the year "37".
 
     <p>The domain string <strong>must</strong> begin with a dot, and
     <strong>must</strong> include at least one embedded dot. That is,
-    ".foo.com" is legal, but "foo.bar.com" and ".com" are not.</p>
+    <code>.foo.com</code> is legal, but <code>foo.bar.com</code> and
+    <code>.com</code> are not.</p>
+
+    <note>Most browsers in use today will not allow cookies to be set
+    for a two-part top level domain, such as <code>.co.uk</code>,
+    although such a domain ostensibly fulfills the requirements
+    above.<br />
+
+    These domains are equivalent to top level domains such as
+    <code>.com</code>, and allowing such cookies may be a security
+    risk. Thus, if you are under a two-part top level domain, you
+    should still use your actual domain, as you would with any other top
+    level domain (for example, use <code>.foo.co.uk</code>).
+    </note>
+
 </usage>
 </directivesynopsis>
 
@@ -209,7 +223,8 @@ time late in the year "37".
 
     <p>Not all clients can understand all of these formats. but you
     should use the newest one that is generally acceptable to your
-    users' browsers.</p>
+    users' browsers. At the time of writing, most browsers only fully
+    support <code>CookieStyle Netscape</code>.</p>
 </usage>
 </directivesynopsis>
 
@@ -229,12 +244,13 @@ time late in the year "37".
 <override>FileInfo</override>
 
 <usage>
-    <p>When the user track module is compiled in, and
-    "CookieTracking on" is set, Apache will start sending a
+    <p>When <module>mod_usertrack</module> is loaded, and
+    <code>CookieTracking on</code> is set, Apache will send a
     user-tracking cookie for all new requests. This directive can
     be used to turn this behavior on or off on a per-server or
-    per-directory basis. By default, compiling mod_usertrack will
-    not activate cookies. </p>
+    per-directory basis. By default, enabling
+    <module>mod_usertrack</module> will <strong>not</strong>
+    activate cookies. </p>
 
 </usage>
 </directivesynopsis>