Re: [http-state] Is this an omission in the parser rules ofdraft-ietf-httpstate-cookie-21?

["Remy Lebeau" <remy@lebeausoftware.org>]

----- Original Message ----- 
From: "Roy T. Fielding" <fielding@gbiv.com>
To: "Adam Barth" <ietf@adambarth.com>
Cc: <http-state@ietf.org>
Sent: Tuesday, February 15, 2011 12:29 PM
Subject: Re: [http-state] Is this an omission in the parser rules 
ofdraft-ietf-httpstate-cookie-21?


> Then please explain to Amazon why you want to break their site?
> Look at your browser's cookies for amazon.com and you will probably
> find cookies named session-token, at-main, and x-main that do not
> follow your grammar.  They are quoted strings and valid under all
> prior descriptions of the Cookie and Set-Cookie header fields.

While we are on the subject of breaking Amazon cookies, here is a cookie I 
received from Amazon's homepage that does not conform to the format of the 
Expires attribute that Section 4 requires servers to use, but it is a 
perfectly valid cookie:

    Set-Cookie: bpx_ustats="iGfxfWHBtMzz9EqcZRPVxHOwPlefXNwx/nZTGCcg9tU="; 
Version=1; Max-Age=86400; Expires=Thu, 17-Feb-2011 06:09:08 GMT; Path=/

Here is the Section 4 grammar:

    expires-av        = "Expires=" sane-cookie-date
    sane-cookie-date  = <rfc1123-date, defined in [RFC2616], Section 3.3.1>

>From RFC 2616:

    rfc1123-date = wkday "," SP date1 SP time SP "GMT"
    wkday        = "Mon" | "Tue" | "Wed"
                        | "Thu" | "Fri" | "Sat" | "Sun"
    date1        = 2DIGIT SP month SP 4DIGIT
    time         = 2DIGIT ":" 2DIGIT ":" 2DIGIT

Notice that the cookie is not using the "date1" grammar.

Since the cookie has a Version=1 attribute, it is an RFC 2109 cookie, and 
RFC 2109 allows Netscape-style date/time formatting:

    Wdy, DD-Mon-YYYY HH:MM:SS GMT

The cookie is conforming to that, but the draft does not allow servers to 
use that format anymore (but user agents can parse it, per Section 5).