Re: [http-state] Ticket 5: Cookie ordering

"Paul E. Jones" <paulej@packetizer.com> Mon, 08 February 2010 16:48 UTC

Return-Path: <paulej@packetizer.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 67F833A67F6 for <http-state@core3.amsl.com>; Mon, 8 Feb 2010 08:48:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6A-KILacAjR4 for <http-state@core3.amsl.com>; Mon, 8 Feb 2010 08:48:24 -0800 (PST)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by core3.amsl.com (Postfix) with ESMTP id D3BAC28C16C for <http-state@ietf.org>; Mon, 8 Feb 2010 08:48:23 -0800 (PST)
Received: from berlin.arid.us (rrcs-98-101-146-143.midsouth.biz.rr.com [98.101.146.143]) (authenticated bits=0) by dublin.packetizer.com (8.14.2/8.14.2) with ESMTP id o18GnCAA017353 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 8 Feb 2010 11:49:18 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1265647758; bh=DvAxKbxawuq3+B0aT7t8LQH8SPRCcx+pgjOU07Tv0C8=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=ms/9CgkRa0B60Xs+6npLxKdYHX+AIJwd7nLHakNaSQLEtOGtXt8FUmppsQvAR5cpg 5zYxk8+cmmyDK4K1SfX9PMBWDkzk20+Tdf9aZbwRgs1h25MBxPTOmV9W4Cozdplu9D uEePFnteJRmlcmyiZNqpNvTsaH3nwsns57gM8ntE=
Received: from sydney (sydney.arid.us [192.168.1.20]) (authenticated bits=0) by berlin.arid.us (8.14.2/8.14.2) with ESMTP id o18GnCjI029880 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 8 Feb 2010 11:49:12 -0500
From: "Paul E. Jones" <paulej@packetizer.com>
To: <yngve@opera.com>, "'Daniel Stenberg'" <daniel@haxx.se>
References: <7789133a1001191410l48530adar28098a03e6de0fb1@mail.gmail.com> <op.u7mkruzjvqd7e2@killashandra.oslo.osa> <alpine.DEB.2.00.1002050932580.3094@tvnag.unkk.fr> <op.u7nnk8uyvqd7e2@killashandra.oslo.osa> <op.u7tgx5y4vqd7e2@killashandra.oslo.osa>
In-Reply-To: <op.u7tgx5y4vqd7e2@killashandra.oslo.osa>
Date: Mon, 8 Feb 2010 11:49:09 -0500
Message-ID: <007901caa8de$a283e780$e78bb680$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acqo2n74QHSuqXq8QIaE9ui01d5NZgAAdWQw
Content-Language: en-us
Cc: 'http-state' <http-state@ietf.org>
Subject: Re: [http-state] Ticket 5: Cookie ordering
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2010 16:48:25 -0000

Yngve,

> My suggestion would be that the spec should recommend ordering an
> ordering
> based on on both domain and path (order of preference to be decided),
> as
> that will be more predictable for sites using multiple cookies with the
> same name at various domain and path levels.

Should we rely on the client to do this?  Your proposal is good, but I'm
skeptical that I can rely on this as a developer on the server side.

Personally, I'd prefer that the client never send two cookies with the same
name.  There are two or more cookies in the browser with the same name, I
would think the browser should only send the cookie with the most precise
path match.  So, if there is a cookie at / and a cookie at /foo, and the
user is accessing /foo, only the cookie for that path would be provided.  Is
there a good reason to send multiple cookies with the same name?

Paul