+#include "printf.h"
+#include "dcgi.h"
+#include "url.h"
+
+/** @brief Return true if @p a is better than @p b
+ *
+ * NB. We don't bother checking if the path is right, we merely check for the
+ * longest path. This isn't a security hole: if the browser wants to send us
+ * bad cookies it's quite capable of sending just the right path anyway. The
+ * point of choosing the longest path is to avoid using a cookie set by another
+ * CGI script which shares a path prefix with us, which would allow it to
+ * maliciously log users out.
+ *
+ * Such a script could still "maliciously" log someone in, if it had acquired a
+ * suitable cookie. But it could just log in directly if it had that, so there
+ * is no obvious vulnerability here either.
+ */
+static int better_cookie(const struct cookie *a, const struct cookie *b) {
+ if(a->path && b->path)
+ /* If both have a path then the one with the longest path is best */
+ return strlen(a->path) > strlen(b->path);
+ else if(a->path)
+ /* If only @p a has a path then it is better */
+ return 1;
+ else
+ /* If neither have a path, or if only @p b has a path, then @p b is
+ * better */
+ return 0;
+}