Re: [http-state] parser rules of draft-ietf-httpstate-cookie-22

Adam Barth <ietf@adambarth.com> Thu, 24 February 2011 22:34 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B0D43A6867 for <http-state@core3.amsl.com>; Thu, 24 Feb 2011 14:34:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.834
X-Spam-Level:
X-Spam-Status: No, score=-2.834 tagged_above=-999 required=5 tests=[AWL=0.143, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EOpUSM-A-g4U for <http-state@core3.amsl.com>; Thu, 24 Feb 2011 14:34:07 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 198F63A67F1 for <http-state@ietf.org>; Thu, 24 Feb 2011 14:34:07 -0800 (PST)
Received: by iwl42 with SMTP id 42so653069iwl.31 for <http-state@ietf.org>; Thu, 24 Feb 2011 14:34:57 -0800 (PST)
Received: by 10.231.39.71 with SMTP id f7mr2250522ibe.182.1298586896901; Thu, 24 Feb 2011 14:34:56 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id gy41sm8827038ibb.17.2011.02.24.14.34.55 (version=SSLv3 cipher=OTHER); Thu, 24 Feb 2011 14:34:55 -0800 (PST)
Received: by iyj8 with SMTP id 8so637043iyj.31 for <http-state@ietf.org>; Thu, 24 Feb 2011 14:34:55 -0800 (PST)
Received: by 10.231.180.30 with SMTP id bs30mr1759302ibb.171.1298586895077; Thu, 24 Feb 2011 14:34:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.40.7 with HTTP; Thu, 24 Feb 2011 14:34:25 -0800 (PST)
In-Reply-To: <4D66DC31.1020200@gmail.com>
References: <20110204184735.26023.qmail@mm01.prod.mesa1.secureserver.net> <AANLkTinFq7bE_e3SSgdjuFvZ8hGn1xy4Hc1VKwc=vp1D@mail.gmail.com> <49225418-A1AF-4299-8C4F-2E608D34265D@gbiv.com> <AANLkTimrJF3LFR4t4j=U2L33kFh+wf-R=sjjwexcmyPi@mail.gmail.com> <26240DE2-4DD3-4863-81B1-635D34BA4AE4@gbiv.com> <AANLkTikzB=VORtn7xiG2JY8ymTjk4epC9huZTC-s0nzq@mail.gmail.com> <4D5AEE94.6010303@gmx.de> <AANLkTimkmZ99qDcXB6=-PGtXq6WQ7+RSreRwsBAHryEj@mail.gmail.com> <DA7A626A-9613-4A49-8A46-8096F7F465B4@gbiv.com> <AANLkTi=aX26NgDx3J0zk6a6H-Fg-9hyuBhfwvVW5nBiH@mail.gmail.com> <AANLkTinnySHEXvaQSxoUAKNaPWThDWdJwnhvCdVfa5Vr@mail.gmail.com> <1E7DE6DF-864A-48AF-B9A3-698DEF4B3B2D@gbiv.com> <4D6590F4.6010505@stpeter.im> <94DA5CF6-88AB-43BD-99AE-921BCA98C7A3@gbiv.com> <AANLkTikxOBCgiAwvg3z2DwyHtJXhTK1=6ipTo16csKr9@mail.gmail.com> <4D66C718.3000300@stpeter.im> <1CE31B7F-5D95-4CFE-B9A1-FBCC9461E472@gbiv.com> <AANLkTim18Lu-_8+OB_oXyRK_x6aPV++m2=ZgnahNSLvK@mail.gmail.com> <4D66DC31.1020200@gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 24 Feb 2011 14:34:25 -0800
Message-ID: <AANLkTikejL7TRYJVkrCxMHe7SSZD5caLKt+bJwnK1yE+@mail.gmail.com>
To: Dan Winship <dan.winship@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "Roy T. Fielding" <fielding@gbiv.com>, iesg@iesg.org, http-state <http-state@ietf.org>
Subject: Re: [http-state] parser rules of draft-ietf-httpstate-cookie-22
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 22:34:08 -0000

On Thu, Feb 24, 2011 at 2:31 PM, Dan Winship <dan.winship@gmail.com> wrote:
> On 02/24/2011 04:50 PM, Adam Barth wrote:
>> DQUOTE is a cargo cult.  Matching DQUOTEs, as above, are less
>> problematic although they do have interoperability problems.  For
>> example, some user agents will incorrectly parse
>>
>> Set-Cookie: foo="bar\"; Secure
>>
>> (allowed by the grammar above) and will not interpret this header as
>> containing a Secure cookie.  If you insist on DQUOTE, we'll probably
>> be better off excluding %x5C from cookie-octet.
>
> I currently have some cookies with \" in them.
>
> Rather than trying to deal with this in the grammar, we could handle it
> like Max-Age, and just add "WARNING: If the cookie-value starts with a
> DQUOTE, some existing user agents will require it to be a valid
> quoted-string."

Those cookies will continue to work fine in user agents that follow
the spec.  However, we shouldn't recommend that servers send those
sorts of cookie values.  They're just causing themselves
interoperability problems.

Adam