Re: [http-state] Ticket 5: Cookie ordering
Daniel Stenberg <daniel@haxx.se> Tue, 19 January 2010 22:50 UTC
Return-Path: <daniel@haxx.se>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C6803A683D for <http-state@core3.amsl.com>; Tue, 19 Jan 2010 14:50:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lmchq32kU4Ce for <http-state@core3.amsl.com>; Tue, 19 Jan 2010 14:50:25 -0800 (PST)
Received: from giant.haxx.se (giant.haxx.se [83.168.254.42]) by core3.amsl.com (Postfix) with ESMTP id BED983A680B for <http-state@ietf.org>; Tue, 19 Jan 2010 14:50:24 -0800 (PST)
Received: from giant.haxx.se (giant.haxx.se [83.168.254.42]) by giant.haxx.se (8.14.3/8.14.3/Debian-9) with ESMTP id o0JMoGfI030029; Tue, 19 Jan 2010 23:50:16 +0100
Date: Tue, 19 Jan 2010 23:50:16 +0100
From: Daniel Stenberg <daniel@haxx.se>
X-X-Sender: dast@giant.haxx.se
To: Adam Barth <ietf@adambarth.com>
In-Reply-To: <7789133a1001191410l48530adar28098a03e6de0fb1@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1001192327190.27499@tvnag.unkk.fr>
References: <7789133a1001191410l48530adar28098a03e6de0fb1@mail.gmail.com>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Ticket 5: Cookie ordering
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2010 22:50:26 -0000
On Tue, 19 Jan 2010, Adam Barth wrote: > Currently the draft defines the order in which cookies should appear in the > Cookie header. In particular, cookies are ordered first by the length of > the Path attribute (longest first) and then by creation date (earliest > first). The majority of the most widely used user agents use this ordering. > (I can look up exactly which browsers follow the ordering if that's > important.) My take on cookies is from the other direction. I think we should specify and document what needs to be done in order to work with the vast majority of sites. I don't think mimicing browsers is a good idea if there's no demand for that from the other side. I know that just about every behavior in browsers can be tracked back to a bug in at least one of them and then the others followed or had their own bug report and acted independently. Still, many of those acts were more or less server-side bugs that SHOULD (imho of course but I suspect I'm not alone in this belief) have been fixed in the servers but browser vendors have been too scared to loose users so they've instead adapted to stupidities. But this said, I'm willing to say that a specific "quirk" is no longer a server side bug if a large enough amount of servers are already using it. Say if three or more of the top-500 sites do it (I'm just throwing out a way to count, I didn't really think the numbers through). > Sending cookies with longer (i.e., more specific) paths first is important > for compatibly because some servers host multiple (mutually trusting) web > applications at different (possibly overlapping) paths. For example, > mail.google.com hosts a public instance of Gmail at https://mail.google.com/ > and corporate instances of Gmail at https://mail.google.com/a/example.com/. > These web applications expect their own cookies (with the more specific > path) to be presented before cookies for other web applications (even if the > cookies have the same names). In fact, this behavior is required by the > original Netscape cookie spec. (This is a change compared to my previous statements in this matter.) I now agree that there's in fact a need to be certain that the "most specific" version of two names is sent first, and I quite like the phrasing the netscape doc: cookies with a more specific path mapping should be sent before cookies with less specific path mappings I don't think it needs to say that _all_ cookies need to be sorted on path length, as that's not what servers need. The purpose of the suggested secondary sort key on creation date however is less clear to me. That would be for sites using overlapping paths (with the same lengths), identical cookie names and then it would depend on which order the cookies were created. Is there really a presently existing site that requires this functionality in browsers? > (3) Require that cookies with longer paths appear before cookies with > shorter paths If they have the same name, yes. > but do not require an ordering among cookies with equal path lengths. This > approach maximizes user agent flexibility while meeting the most important > compatibility needs, but it's unclear to me that there is value in > maximizing user agent flexibility in this regard. It seems like if we're > going to specify an ordering for cookies, we might as well specify the total > ordering used by the most popular user agents. Since user agents can also at whim decide to not accept cookies (and perfectly allowed to do so according to previous and this spec), a server cannot reliably know in advance which cookie that was created first so it couldn't reliably be written to depend on that order. Could it? Again: alternative implementations do not necessarily seek to act like other browsers, they may just try to work against all servers. -- / daniel.haxx.se
- [http-state] Ticket 5: Cookie ordering Adam Barth
- Re: [http-state] Ticket 5: Cookie ordering Daniel Stenberg
- Re: [http-state] Ticket 5: Cookie ordering Adam Barth
- Re: [http-state] Ticket 5: Cookie ordering David Morris
- Re: [http-state] Ticket 5: Cookie ordering Adam Barth
- Re: [http-state] Ticket 5: Cookie ordering David Morris
- Re: [http-state] Ticket 5: Cookie ordering Adam Barth
- Re: [http-state] Ticket 5: Cookie ordering Daniel Stenberg
- Re: [http-state] Ticket 5: Cookie ordering Adam Barth
- Re: [http-state] Ticket 5: Cookie ordering Daniel Stenberg
- Re: [http-state] Ticket 5: Cookie ordering Dan Winship
- Re: [http-state] Ticket 5: Cookie ordering Dan Winship
- Re: [http-state] Ticket 5: Cookie ordering Maciej Stachowiak
- Re: [http-state] Ticket 5: Cookie ordering Anne van Kesteren
- Re: [http-state] Ticket 5: Cookie ordering Yngve Nysaeter Pettersen
- Re: [http-state] Ticket 5: Cookie ordering Adam Barth
- Re: [http-state] Ticket 5: Cookie ordering Yngve Nysaeter Pettersen
- Re: [http-state] Ticket 5: Cookie ordering Daniel Stenberg
- Re: [http-state] Ticket 5: Cookie ordering Yngve Nysaeter Pettersen
- Re: [http-state] Ticket 5: Cookie ordering Dan Witte
- Re: [http-state] Ticket 5: Cookie ordering Paul E. Jones
- Re: [http-state] Ticket 5: Cookie ordering Adam Barth
- Re: [http-state] Ticket 5: Cookie ordering Achim Hoffmann
- Re: [http-state] Ticket 5: Cookie ordering Adam Barth
- Re: [http-state] Ticket 5: Cookie ordering Dan Witte
- Re: [http-state] Ticket 5: Cookie ordering Achim Hoffmann
- Re: [http-state] Ticket 5: Cookie ordering Adam Barth
- Re: [http-state] Ticket 5: Cookie ordering Daniel Stenberg
- Re: [http-state] Ticket 5: Cookie ordering Achim Hoffmann