Re: [http-state] Cookie path and trailing "/"

Adam Barth <ietf@adambarth.com> Tue, 02 April 2013 01:08 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4862A11E811A for <http-state@ietfa.amsl.com>; Mon, 1 Apr 2013 18:08:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m3cUDAbPou7j for <http-state@ietfa.amsl.com>; Mon, 1 Apr 2013 18:08:04 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 508BA21F8B26 for <http-state@ietf.org>; Mon, 1 Apr 2013 18:08:04 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id u10so2473915lbi.31 for <http-state@ietf.org>; Mon, 01 Apr 2013 18:08:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=IkxIrmrd39Feu1AP6EqHLQZjcDt7dNJvzcyKyTbJef8=; b=bisgIgtP+3JYG1B45TgUzXrXjAH3aPQQP2i4C6txECxWcH+9vUTRWTbwFksArqxEmj lXNbmNk2SuEkmThq19C7jpywhXau2Go+Rh/T5G5sFaOCcryVAOKNnXIlezn5WDPbBgQq dh/o1VSTsqHu6o0oXWqHXeUzY9UfgRY4TiizgmFTcS4oaVtiQd/vGWJ7JyXm8/u0gj3X btWbhs/N9PjHnSvPCOUOrh+43ujlQRinWoWxW0aMM9bX3ReQHvjWHXGUUsJdmhJkKXSP 3Y77ypHisJvnXTmnfGzG8qPDx8lhJzwxdROIqtMO1Xn/BfkxWSyFcM3hNsQ0xDmuNxNl biAA==
X-Received: by 10.112.68.34 with SMTP id s2mr6616601lbt.111.1364864883127; Mon, 01 Apr 2013 18:08:03 -0700 (PDT)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx.google.com with ESMTPS id i3sm6222347lbn.0.2013.04.01.18.08.01 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 01 Apr 2013 18:08:02 -0700 (PDT)
Received: by mail-lb0-f182.google.com with SMTP id z13so2419215lbh.41 for <http-state@ietf.org>; Mon, 01 Apr 2013 18:08:01 -0700 (PDT)
X-Received: by 10.112.102.197 with SMTP id fq5mr6490311lbb.83.1364864881308; Mon, 01 Apr 2013 18:08:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.44.133 with HTTP; Mon, 1 Apr 2013 18:07:31 -0700 (PDT)
In-Reply-To: <CACuKZqFvJ5avoyZ6KT_nhjF6LBm4xKH5xdGTufL_a_CTsXWYyw@mail.gmail.com>
References: <CACuKZqFvJ5avoyZ6KT_nhjF6LBm4xKH5xdGTufL_a_CTsXWYyw@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 1 Apr 2013 18:07:31 -0700
Message-ID: <CAJE5ia8uHxD4j5x+P9tRdGxbz2OZed=1VvnEsoGrU6W=YqL3eg@mail.gmail.com>
To: Zhong Yu <zhong.j.yu@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQmkGAuzCSUJN3/Hvr4clxFfHqgsydWzkuAAVUbkR7i4vjSV6m3/GI3/14mHG5t5xSuCVThO
Cc: Pete Resnick <presnick@qti.qualcomm.com>, Barry Leiba <barryleiba@computer.org>, http-state <http-state@ietf.org>
Subject: Re: [http-state] Cookie path and trailing "/"
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 01:08:05 -0000

On Mon, Apr 1, 2013 at 6:01 PM, Zhong Yu <zhong.j.yu@gmail.com>; wrote:
> Hello cookie masters,
>
> In the follow example of an http response, two cookies are set which differs in the trailing slash of the Path attribute
>
>     HTTP/1.1 200 OK
>     Set-Cookie: n=v1; Path=/abc
>     Set-Cookie: n=v2; Path=/abc/
>
> According to RFC6265, these are two distinct cookies. And cookie#2 is not applicable to request-path "/abc".
>
> In my tests, IE and Chrome conform to these requirement. My question is, are these requirement as intended?

Yes.

> What was the reason behind?

Based on our testing at the time, it was the most widely implemented behavior.

> On Firefox the two cookies are also treated as distinct cookies; however Firefox erroneously sends cookie#2 for request-path "/abc". Should that be considered a bug?

If Firefox changes its behavior to match the spec, it will be more
interoperable with other user agents, which seems like a good thing.

Adam