Re: [http-state] Is this an omission in the parser rules ofdraft-ietf-httpstate-cookie-21?

"Remy Lebeau" <remy@lebeausoftware.org> Wed, 16 February 2011 07:05 UTC

Return-Path: <remy@lebeausoftware.org>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6AFCE3A6D69 for <http-state@core3.amsl.com>; Tue, 15 Feb 2011 23:05:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_73=0.6, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HkGBpCv2bott for <http-state@core3.amsl.com>; Tue, 15 Feb 2011 23:05:06 -0800 (PST)
Received: from p3plsmtpa01-08.prod.phx3.secureserver.net (p3plsmtpa01-08.prod.phx3.secureserver.net [72.167.82.88]) by core3.amsl.com (Postfix) with SMTP id 3F3143A6D48 for <http-state@ietf.org>; Tue, 15 Feb 2011 23:05:03 -0800 (PST)
Received: (qmail 29295 invoked from network); 16 Feb 2011 07:05:30 -0000
Received: from unknown (76.93.119.83) by p3plsmtpa01-08.prod.phx3.secureserver.net (72.167.82.88) with ESMTP; 16 Feb 2011 07:05:30 -0000
Message-ID: <26A4B40A07EF489C882815971D7BC38E@RYANLAPTOP>
From: "Remy Lebeau" <remy@lebeausoftware.org>
To: <ietf@adambarth.com>
References: <20110204184735.26023.qmail@mm01.prod.mesa1.secureserver.net><AANLkTi=qBVkGwMHqAidtwP5_A8pPrF-Y9MV4jgYS5_QM@mail.gmail.com><7384878F-C44A-42A4-9694-1BB1C18AA5E6@gbiv.com><AANLkTinFq7bE_e3SSgdjuFvZ8hGn1xy4Hc1VKwc=vp1D@mail.gmail.com><49225418-A1AF-4299-8C4F-2E608D34265D@gbiv.com><AANLkTimrJF3LFR4t4j=U2L33kFh+wf-R=sjjwexcmyPi@mail.gmail.com> <26240DE2-4DD3-4863-81B1-635D34BA4AE4@gbiv.com>
Date: Tue, 15 Feb 2011 23:04:28 -0800
Organization: Lebeau Software
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
Cc: http-state@ietf.org
Subject: Re: [http-state] Is this an omission in the parser rules ofdraft-ietf-httpstate-cookie-21?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 07:05:07 -0000

----- Original Message ----- 
From: "Roy T. Fielding" <fielding@gbiv.com>;
To: "Adam Barth" <ietf@adambarth.com>;
Cc: <http-state@ietf.org>;
Sent: Tuesday, February 15, 2011 12:29 PM
Subject: Re: [http-state] Is this an omission in the parser rules 
ofdraft-ietf-httpstate-cookie-21?


> Then please explain to Amazon why you want to break their site?
> Look at your browser's cookies for amazon.com and you will probably
> find cookies named session-token, at-main, and x-main that do not
> follow your grammar.  They are quoted strings and valid under all
> prior descriptions of the Cookie and Set-Cookie header fields.

While we are on the subject of breaking Amazon cookies, here is a cookie I 
received from Amazon's homepage that does not conform to the format of the 
Expires attribute that Section 4 requires servers to use, but it is a 
perfectly valid cookie:

    Set-Cookie: bpx_ustats="iGfxfWHBtMzz9EqcZRPVxHOwPlefXNwx/nZTGCcg9tU="; 
Version=1; Max-Age=86400; Expires=Thu, 17-Feb-2011 06:09:08 GMT; Path=/

Here is the Section 4 grammar:

    expires-av        = "Expires=" sane-cookie-date
    sane-cookie-date  = <rfc1123-date, defined in [RFC2616], Section 3.3.1>

>From RFC 2616:

    rfc1123-date = wkday "," SP date1 SP time SP "GMT"
    wkday        = "Mon" | "Tue" | "Wed"
                        | "Thu" | "Fri" | "Sat" | "Sun"
    date1        = 2DIGIT SP month SP 4DIGIT
    time         = 2DIGIT ":" 2DIGIT ":" 2DIGIT

Notice that the cookie is not using the "date1" grammar.

Since the cookie has a Version=1 attribute, it is an RFC 2109 cookie, and 
RFC 2109 allows Netscape-style date/time formatting:

    Wdy, DD-Mon-YYYY HH:MM:SS GMT

The cookie is conforming to that, but the draft does not allow servers to 
use that format anymore (but user agents can parse it, per Section 5).