Re: [http-state] draft-ietf-httpstate-cookie-05 posted

[Adam Barth <ietf@adambarth.com>]

On Mon, Mar 15, 2010 at 9:14 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 15.03.2010 17:08, Adam Barth wrote:
>> On Mon, Mar 15, 2010 at 2:54 AM, Yngve N. Pettersen (Developer Opera
>> Software ASA)<yngve@opera.com>  wrote:
>>> On Mon, 15 Mar 2010 09:16:47 +0100, Daniel Stenberg<daniel@haxx.se>
>>>  wrote:
>>>> On Mon, 15 Mar 2010, Yngve N. Pettersen (Developer Opera Software ASA)
>>>> wrote:
>>>>
>>>>> * cookie-name should not be allowed to start with "$". I would prefer a
>>>>> MUST NOT, but a SHOULD NOT might be sufficient.
>>>>
>>>> Have anyone tried to check how common such cookie names are? And
>>>> related:
>>>> are there existing widely used cookie implementations where using a such
>>>> a
>>>> name cause problems?
>>>
>>> Our information from our 2008
>>> MAMA<http://dev.opera.com/articles/view/mama/
>>>>
>>>> spider run of 3.5 million URLs found 60 URLs that set cookies with names
>>>
>>> starting with $, but there were only 4 name variations, the largest group
>>> apparently originating with a single web development company with offices
>>> in
>>> North Carolina, South Carolina and Georgia, and websites for
>>> companies/cities in that area.
>>
>> Hum...  That makes it sound like we shouldn't add a user agent
>> requirement on this topic until phase 2.
>
> Really?
>
> It has been reserved, should be reserved, and seems to be only used *very*
> rarely...

We're only supposed to require user agents to do things that are
already widely implemented.  I'll happily add this requirement if user
agents widely implement it, but that's not the case currently.
There's a bunch of stuff in RFC 2109 that's been "reserved" and
"should be reserved" but the reality today is that it isn't reserved.

Adam