Re: [http-state] draft-ietf-httpstate-cookie-05 posted

Adam Barth <ietf@adambarth.com> Mon, 15 March 2010 16:22 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A21313A6BAF for <http-state@core3.amsl.com>; Mon, 15 Mar 2010 09:22:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJMnVO5g83EV for <http-state@core3.amsl.com>; Mon, 15 Mar 2010 09:22:16 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 4E89B3A68C2 for <http-state@ietf.org>; Mon, 15 Mar 2010 09:22:12 -0700 (PDT)
Received: by pvh1 with SMTP id 1so1013669pvh.31 for <http-state@ietf.org>; Mon, 15 Mar 2010 09:22:17 -0700 (PDT)
Received: by 10.115.36.31 with SMTP id o31mr5154401waj.79.1268670125567; Mon, 15 Mar 2010 09:22:05 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by mx.google.com with ESMTPS id 20sm5915842pzk.7.2010.03.15.09.22.04 (version=SSLv3 cipher=RC4-MD5); Mon, 15 Mar 2010 09:22:04 -0700 (PDT)
Received: by pvh1 with SMTP id 1so1013510pvh.31 for <http-state@ietf.org>; Mon, 15 Mar 2010 09:22:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.143.21.40 with SMTP id y40mr5571483wfi.348.1268670123297; Mon, 15 Mar 2010 09:22:03 -0700 (PDT)
In-Reply-To: <4B9E5CF6.50507@gmx.de>
References: <5c4444771003071050r3475798co95cc192d1f2e8190@mail.gmail.com> <op.u9k0zvitqrq7tp@acorna.oslo.opera.com> <alpine.DEB.2.00.1003150915130.17195@tvnag.unkk.fr> <op.u9lshja5qrq7tp@acorna.oslo.opera.com> <5c4444771003150908u252a1813s37f88f45f1aa5a95@mail.gmail.com> <4B9E5CF6.50507@gmx.de>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 15 Mar 2010 09:21:43 -0700
Message-ID: <5c4444771003150921x6c8b4061x4fc53335845a0d4d@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Daniel Stenberg <daniel@haxx.se>, http-state <http-state@ietf.org>
Subject: Re: [http-state] draft-ietf-httpstate-cookie-05 posted
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2010 16:22:18 -0000

On Mon, Mar 15, 2010 at 9:14 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 15.03.2010 17:08, Adam Barth wrote:
>> On Mon, Mar 15, 2010 at 2:54 AM, Yngve N. Pettersen (Developer Opera
>> Software ASA)<yngve@opera.com>  wrote:
>>> On Mon, 15 Mar 2010 09:16:47 +0100, Daniel Stenberg<daniel@haxx.se>
>>>  wrote:
>>>> On Mon, 15 Mar 2010, Yngve N. Pettersen (Developer Opera Software ASA)
>>>> wrote:
>>>>
>>>>> * cookie-name should not be allowed to start with "$". I would prefer a
>>>>> MUST NOT, but a SHOULD NOT might be sufficient.
>>>>
>>>> Have anyone tried to check how common such cookie names are? And
>>>> related:
>>>> are there existing widely used cookie implementations where using a such
>>>> a
>>>> name cause problems?
>>>
>>> Our information from our 2008
>>> MAMA<http://dev.opera.com/articles/view/mama/
>>>>
>>>> spider run of 3.5 million URLs found 60 URLs that set cookies with names
>>>
>>> starting with $, but there were only 4 name variations, the largest group
>>> apparently originating with a single web development company with offices
>>> in
>>> North Carolina, South Carolina and Georgia, and websites for
>>> companies/cities in that area.
>>
>> Hum...  That makes it sound like we shouldn't add a user agent
>> requirement on this topic until phase 2.
>
> Really?
>
> It has been reserved, should be reserved, and seems to be only used *very*
> rarely...

We're only supposed to require user agents to do things that are
already widely implemented.  I'll happily add this requirement if user
agents widely implement it, but that's not the case currently.
There's a bunch of stuff in RFC 2109 that's been "reserved" and
"should be reserved" but the reality today is that it isn't reserved.

Adam