Google analytics cookies & HP Procurve switch

Hi, We have an issue with a new HP Procurve 2910 switch, where we cannot log into the web interface using the FQDN if google analytics cookies exist in the browser for the top-level domain. The switch web server returns a 400, Bad Request. The utma, utmb, utmc, utmz cookies exist for the top-level domain .vpac.org and the switch is e.g. switch01.in.vpac.org. If I delete the cookies, there is no issue, and the web interface responds correctly. If I use only the short hostname, no cookies get sent and the web interface responds correctly. HP support has closed the issue I had opened with them, as they believe this is by design, and that the google analytics cookies are "invalid": "Lab has done extensive consultation on this matter and they are convinced that the behavior exhibited by 2910 is expected and by design. 2910 has the session management feature, which allows the switch to validate cookies. The switch's web-server cannot ignore the invalid cookies. 2510 is missing this feature, that is why your not seeing the problem with invalid cookies when you try to access 2510. If you wants to have cookies (which I am sure you do) and at the same time wants to access 2910 via FQDN, you need to restrict their cookies to specific subdomains. Or access the switches via IP address to avoid google analytic cookies to be presented to the switch's webserver." I've been looking through the current RFC for HTTP State Management Mechanism[1], but can't find any reference to what the server should do if it receives cookies for the top-level domain. Ideally it should ignore them? But there doesn't seem to be any requirements in the spec relating to that. I'd like to reply to HP with suggestions, but it seems as though they are already following the spec? (even if it doesn't work as expected). Any ideas? Regards, Marcus. [1] http://tools.ietf.org/html/rfc6265 -- Marcus Furlong

On Thu, Feb 16, 2012 at 01:23:44PM +1100, Marcus Furlong wrote:
I'd like to reply to HP with suggestions, but it seems as though they are already following the spec? (even if it doesn't work as expected). Any ideas?
you could look at it this way: HP are doing you a favour by reminding you to install NoScript (ffox), NotScripts (chromium), AdBlock+, DoNotTrack and/or other tools to block spyware like google analytics. The g-a cookies don't benefit YOU in any way. In fact, they HARM you. They only exist to track and spy on you, and you're better off without them. craig -- craig sanders <cas@taz.net.au>
participants (2)
-
Craig Sanders
-
Marcus Furlong