Re: [http-state] draft-ietf-httpstate-cookie-05 posted

Adam Barth <ietf@adambarth.com> Mon, 15 March 2010 16:24 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8040E3A68C2 for <http-state@core3.amsl.com>; Mon, 15 Mar 2010 09:24:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.222
X-Spam-Level:
X-Spam-Status: No, score=-1.222 tagged_above=-999 required=5 tests=[AWL=-0.734, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eyoD+9wf6hB0 for <http-state@core3.amsl.com>; Mon, 15 Mar 2010 09:24:00 -0700 (PDT)
Received: from mail-pz0-f178.google.com (mail-pz0-f178.google.com [209.85.222.178]) by core3.amsl.com (Postfix) with ESMTP id B6CF73A677D for <http-state@ietf.org>; Mon, 15 Mar 2010 09:24:00 -0700 (PDT)
Received: by pzk8 with SMTP id 8so2755586pzk.29 for <http-state@ietf.org>; Mon, 15 Mar 2010 09:24:05 -0700 (PDT)
Received: by 10.141.4.4 with SMTP id g4mr2926592rvi.275.1268670244209; Mon, 15 Mar 2010 09:24:04 -0700 (PDT)
Received: from mail-pz0-f178.google.com (mail-pz0-f178.google.com [209.85.222.178]) by mx.google.com with ESMTPS id 22sm140327pzk.13.2010.03.15.09.24.03 (version=SSLv3 cipher=RC4-MD5); Mon, 15 Mar 2010 09:24:03 -0700 (PDT)
Received: by pzk8 with SMTP id 8so2755540pzk.29 for <http-state@ietf.org>; Mon, 15 Mar 2010 09:24:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.143.20.35 with SMTP id x35mr3639376wfi.116.1268670242510; Mon, 15 Mar 2010 09:24:02 -0700 (PDT)
In-Reply-To: <5c4444771003150921x6c8b4061x4fc53335845a0d4d@mail.gmail.com>
References: <5c4444771003071050r3475798co95cc192d1f2e8190@mail.gmail.com> <op.u9k0zvitqrq7tp@acorna.oslo.opera.com> <alpine.DEB.2.00.1003150915130.17195@tvnag.unkk.fr> <op.u9lshja5qrq7tp@acorna.oslo.opera.com> <5c4444771003150908u252a1813s37f88f45f1aa5a95@mail.gmail.com> <4B9E5CF6.50507@gmx.de> <5c4444771003150921x6c8b4061x4fc53335845a0d4d@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 15 Mar 2010 09:23:42 -0700
Message-ID: <5c4444771003150923u1b965a66l24ab217036923ec0@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Daniel Stenberg <daniel@haxx.se>, http-state <http-state@ietf.org>
Subject: Re: [http-state] draft-ietf-httpstate-cookie-05 posted
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2010 16:24:01 -0000

On Mon, Mar 15, 2010 at 9:21 AM, Adam Barth <ietf@adambarth.com> wrote:
> On Mon, Mar 15, 2010 at 9:14 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
>> On 15.03.2010 17:08, Adam Barth wrote:
>>> On Mon, Mar 15, 2010 at 2:54 AM, Yngve N. Pettersen (Developer Opera
>>> Software ASA)<yngve@opera.com>  wrote:
>>>> On Mon, 15 Mar 2010 09:16:47 +0100, Daniel Stenberg<daniel@haxx.se>
>>>>  wrote:
>>>>> On Mon, 15 Mar 2010, Yngve N. Pettersen (Developer Opera Software ASA)
>>>>> wrote:
>>>>>
>>>>>> * cookie-name should not be allowed to start with "$". I would prefer a
>>>>>> MUST NOT, but a SHOULD NOT might be sufficient.
>>>>>
>>>>> Have anyone tried to check how common such cookie names are? And
>>>>> related:
>>>>> are there existing widely used cookie implementations where using a such
>>>>> a
>>>>> name cause problems?
>>>>
>>>> Our information from our 2008
>>>> MAMA<http://dev.opera.com/articles/view/mama/
>>>>>
>>>>> spider run of 3.5 million URLs found 60 URLs that set cookies with names
>>>>
>>>> starting with $, but there were only 4 name variations, the largest group
>>>> apparently originating with a single web development company with offices
>>>> in
>>>> North Carolina, South Carolina and Georgia, and websites for
>>>> companies/cities in that area.
>>>
>>> Hum...  That makes it sound like we shouldn't add a user agent
>>> requirement on this topic until phase 2.
>>
>> Really?
>>
>> It has been reserved, should be reserved, and seems to be only used *very*
>> rarely...
>
> We're only supposed to require user agents to do things that are
> already widely implemented.  I'll happily add this requirement if user
> agents widely implement it, but that's not the case currently.
> There's a bunch of stuff in RFC 2109 that's been "reserved" and
> "should be reserved" but the reality today is that it isn't reserved.

Another perspective is that there's no big rush to add this
requirement.  It's probably not going to make user agents change their
behavior appreciably faster.  We might as well wait on moving the
mountain to phase 2.

Adam