IETF Logo Mail Archive

Re: [http-state] Comments on draft-ietf-httpstate-cookie-08.txt (1 - 4.1.2.)

Julian Reschke <julian.reschke@gmx.de> Thu, 27 May 2010 07:49 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 678BB3A69EA for <http-state@core3.amsl.com>; Thu, 27 May 2010 00:49:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.999
X-Spam-Level:
X-Spam-Status: No, score=-4.999 tagged_above=-999 required=5 tests=[AWL=-5.600, BAYES_50=0.001, J_CHICKENPOX_43=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 90Elbni9zuyG for <http-state@core3.amsl.com>; Thu, 27 May 2010 00:49:49 -0700 (PDT)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 6D13A3A6990 for <http-state@ietf.org>; Thu, 27 May 2010 00:49:48 -0700 (PDT)
Received: (qmail invoked by alias); 27 May 2010 07:49:36 -0000
Received: from p508FFB57.dip.t-dialin.net (EHLO [192.168.178.33]) [80.143.251.87] by mail.gmx.net (mp057) with SMTP; 27 May 2010 09:49:36 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1//qytpL2f/nytlnau+v6bLCvFWi1mt/6SIXBFIhz BU+fZSBP974eQt
Message-ID: <4BFE240A.4030905@gmx.de>
Date: Thu, 27 May 2010 09:49:30 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <f5jqv5pu3oksmjndegd5a329gp40opqsr5@hive.bjoern.hoehrmann.de> <AANLkTin2dZ3v681D2W4yZEHhnc_0G8mAQRsMA8ZQ6wWF@mail.gmail.com>
In-Reply-To: <AANLkTin2dZ3v681D2W4yZEHhnc_0G8mAQRsMA8ZQ6wWF@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: http-state@ietf.org
Subject: Re: [http-state] Comments on draft-ietf-httpstate-cookie-08.txt (1 - 4.1.2.)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2010 07:49:51 -0000

On 26.05.2010 22:45, Adam Barth wrote:
> ...
> On Wed, May 26, 2010 at 10:22 AM, Bjoern Hoehrmann<derhoermi@gmx.net>  wrote:
>>   Some comments on draft-ietf-httpstate-cookie-08.txt:
> ...
>> Later in the section, there should be a bibliographic reference for the
>> "Netscape cookie specification".
>
> I'd be happy to add this if you let me know what citation you think we
> should use here.  The problem is that I don't know of a canonical URL
> to cite now that the original Netscape site is defunct.
 > ...

I agree that this needs a citation, even if we can't provide the 
original URI. Proposal: create something on purl.org (I know the RFC 
Editor is likely to accept that), and let it redirect to the best copy 
we can find. If that breaks, we still can update the purl.

>> In the same paragraph "However, none of
>> these documents describe how the Cookie and Set-Cookie headers are
>> actually used on the Internet" is rather unclear and does not appear to
>> do the relevant documents justice. As reader I am left wondering if the
>> intend is to say they did not attempt to do so, or were incomplete, or
>> what else is wrong with them.
>
> That's just a statement of fact.  I'm not sure what the intentions
> were of their creators, but (however we got here) we find ourselves in
> that situation.

That statement is kind of confusing to people who do not already know 
the history.

Maybe it would make sense to cite

[Kri2001]	Kristol, D., “HTTP Cookies: Standards, Privacy, and Politics”, 
ACM Transactions on Internet Technology Vol. 1, #2, November 2001, 
<http://arxiv.org/abs/cs.SE/0105018>.

to give some more context.

>> In section 2.2 the imported rules should be phrased as grammar to make
>> them easer to scan and read, i.e., e.g.
>>
>>   ALPHA =<as defined in ...>  ; A-Z / a-z
>>   ...
>
> I looked a bunch of RFCs and this didn't appear to be that common.
> I'd be happy to do this if you can show me three relatively recent
> RFCs that use this pattern.

Adam is right; not expanding the RFC 5234 base rules is quite common.

> ...
>> In section 2.3 we have "The terms request-host and request-uri refer to
>> the values the user agent would send to the server as, respectively, the
>> host (but not port) and the absoluteURI (http_URL) of the HTTP
>> Request-Line." I am not entirely sure how to read that; for example, the
>> "host" would be part of "absoluteURI" if it is sent in the Request-Line,
>> and sending an absoluteURI there is unusual (unless talking to a proxy).
>> Also, the reference to http_URL is probably incorrect if "https" URLs
>> are also permissable.
>
> I find it completely ridiculous that the specs make it so hard to say
> what URL and host we're sending a request to, which would seem to be
> the two most important things about an HTTP request.  Hopefully
> someone will chime in with the magic incantation we're supposed to use
> here.

If you're willing to wait for httpbis, "Effective Request URI" might be 
the right thing 
(<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-latest.html#effective.request.uri>).

> ...
>> Later in the section, "The origin server MAY send the user agent a
>> Set-Cookie response header with the same or different information, or it
>> MAY send no Set-Cookie header at all." It is unclear what "same" refers
>> to here. It sounds like this might refer to servers setting the same
>> cookie over and over again even if the client is already sending it back
>> but that does not become clear from the paragraph.
>
> It just means the server can send whatever it likes, including things
> that are the same or different from what it sent before or not sending
> things at all.

I also have to point out that this use of MAY is irritating; just state 
that this is optional behavior.

>> At the end of section 3 it should be pointed out that the do-not-fold
>> rule is inconsistent with RFC 2616.
>
> This is pointed out in HTTPbis.  At worst, this inconsistency will
> exist for only a short time.

HTTPbis currently says:

"Note: The "Set-Cookie" header as implemented in practice (as opposed to 
how it is specified in [RFC2109]) can occur multiple times, but does not 
use the list syntax, and thus cannot be combined into a single line. 
(See Appendix A.2.3 of [Kri2001] for details.) Also note that the 
Set-Cookie2 header specified in [RFC2965]  does not share this problem." 
-- 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-latest.html#rfc.section.3.2.p.7>

So the Cookie spec has an additional requirement compared both to RFC 
2616 and HTTPbis, and that should be pointed out (and explained!).

> ...
>> The grammar makes reference to "abs_path", but does not define what it
>> is.
>
> I've just made this<any CHAR except CTLs or ";">.

Is this supposed to be the same as abs_path in RFC 2396? If it is, RFC 
3986 has replaced this with path-absolute. More consistency with these 
specs would be good.

> ...
> I've removed the concept of a cookie store from this section because
> it's not needed to explain what's going on.
> ...

It's good that you already improved the spec; can you please post this 
somewhere (not as new ID!), so people doing the LC review can check 
whether something has already been addressed?

Best regards, Julian

v2.23.0 | Report a Bug | By Email