Re: [http-state] Make draft-abarth-cookie-06 a working group item?
David Morris <dwm@xpasc.com> Sat, 12 December 2009 19:17 UTC
Return-Path: <dwm@xpasc.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 34F193A683E for <http-state@core3.amsl.com>; Sat, 12 Dec 2009 11:17:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.63
X-Spam-Level:
X-Spam-Status: No, score=-1.63 tagged_above=-999 required=5 tests=[AWL=-0.323, BAYES_00=-2.599, MISSING_HEADERS=1.292]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WO5P54holZId for <http-state@core3.amsl.com>; Sat, 12 Dec 2009 11:17:36 -0800 (PST)
Received: from mail.xpasc.com (mail.xpasc.com [68.164.244.189]) by core3.amsl.com (Postfix) with ESMTP id F1BD93A67E6 for <http-state@ietf.org>; Sat, 12 Dec 2009 11:17:35 -0800 (PST)
Received: from bslepgate.xpasc.com (localhost.localdomain [127.0.0.1]) by bslepgate.xpasc.com (Postfix-out) with ESMTP id 04ADE101836 for <http-state@ietf.org>; Sat, 12 Dec 2009 11:17:25 -0800 (PST)
X-Propel-Return-Path: <dwm@xpasc.com>
Received: from mail.xpasc.com ([10.1.2.88]) by [127.0.0.1] ([127.0.0.1]) (port 7027) (Abaca EPG outproxy filter 3.1.1.9347 $Rev: 9262 $) id iz6Ur9ccjho0; Sat, 12 Dec 2009 11:17:24 -0800
Received: from xpasc.com (egate.xpasc.com [10.1.2.49]) by bslepgate.xpasc.com (Postfix-out) with ESMTP id CB16410181D for <http-state@ietf.org>; Sat, 12 Dec 2009 11:17:24 -0800 (PST)
Received: from egate.xpasc.com (egate.xpasc.com [10.1.2.49]) by xpasc.com (8.13.8/8.13.8) with ESMTP id nBCJHNIL002009 for <http-state@ietf.org>; Sat, 12 Dec 2009 11:17:23 -0800
Date: Sat, 12 Dec 2009 11:17:23 -0800
From: David Morris <dwm@xpasc.com>
cc: http-state <http-state@ietf.org>
In-Reply-To: <alpine.DEB.2.00.0912121952580.18824@tvnag.unkk.fr>
Message-ID: <Pine.LNX.4.64.0912121107420.26271@egate.xpasc.com>
References: <7789133a0912111441t38d8142frecfc149e2d8464fd@mail.gmail.com> <alpine.DEB.2.00.0912120005060.16918@tvnag.unkk.fr> <4B23BF42.2000002@gmail.com> <alpine.DEB.2.00.0912121952580.18824@tvnag.unkk.fr>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Propel-ID: iz6Ur9ccjho0
Subject: Re: [http-state] Make draft-abarth-cookie-06 a working group item?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: http-state <http-state@ietf.org>
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2009 19:17:38 -0000
On Sat, 12 Dec 2009, Daniel Stenberg wrote: > On Sat, 12 Dec 2009, Dan Winship wrote: > >>> ... with no mention of exactly when the cookie's birth is. I figure we can >>> define it to be since the receive moment for convenience if nothing else. >>> Counting from the sending moment would be hard, even if I bet most server >>> side implementations basically assumes it is from the moment they send the >>> cookie. >> >> For the "max-age" Cache-Control directive, you count from the time in the >> Date header. We could do the same (though we need to put something about >> what to do if there's no Date header). > > I know the libcurl implementation simply takes the current time (when the > cookie is parsed/handled by the client) and adds the cookie's given max-time, > which thus matches the current draft. I would suspect others do too since it > is the easiest approach. > > Does anyone here know of an implementation that (tries to) make it based on > the server-side's creation time? There is really no point in over engineering this value ... if it isn't sufficient to expire the cookie max-age seconds from when it is parsed, then max-age is fundamentally an inadequate mechanism for managing expiration. Network delays, system processing delays, system time changes all conspire to create imprecision. If a server can be subverted because a cookie didn't expire for a few seconds longer than intended, of the user experience is broken because it expired too soon, then there is an underlying application design issue that no amount of hassling over interpretation of the max-age value can resolve. Simply stated, max-age is based on the receipt time of the response and which shouldn't be any later than completion of processing the response or any earlier than when the request was made.
- [http-state] Make draft-abarth-cookie-06 a workin… Adam Barth
- Re: [http-state] Make draft-abarth-cookie-06 a wo… Daniel Stenberg
- Re: [http-state] Make draft-abarth-cookie-06 a wo… Adam Barth
- Re: [http-state] Make draft-abarth-cookie-06 a wo… Peter Saint-Andre
- Re: [http-state] Make draft-abarth-cookie-06 a wo… Adam Barth
- Re: [http-state] Make draft-abarth-cookie-06 a wo… Dan Winship
- Re: [http-state] Make draft-abarth-cookie-06 a wo… Daniel Stenberg
- Re: [http-state] Make draft-abarth-cookie-06 a wo… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Make draft-abarth-cookie-06 a wo… David Morris
- Re: [http-state] Make draft-abarth-cookie-06 a wo… Dan Witte
- Re: [http-state] Make draft-abarth-cookie-06 a wo… Daniel Stenberg
- Re: [http-state] Make draft-abarth-cookie-06 a wo… Adam Barth