Re: [http-state] Cookie path and trailing "/"

Zhong Yu <zhong.j.yu@gmail.com> Tue, 02 April 2013 01:28 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93A9221E80A5 for <http-state@ietfa.amsl.com>; Mon, 1 Apr 2013 18:28:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XnXuCLMuy60X for <http-state@ietfa.amsl.com>; Mon, 1 Apr 2013 18:28:38 -0700 (PDT)
Received: from mail-oa0-f51.google.com (mail-oa0-f51.google.com [209.85.219.51]) by ietfa.amsl.com (Postfix) with ESMTP id B250C21E804A for <http-state@ietf.org>; Mon, 1 Apr 2013 18:28:38 -0700 (PDT)
Received: by mail-oa0-f51.google.com with SMTP id g12so2528254oah.10 for <http-state@ietf.org>; Mon, 01 Apr 2013 18:28:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=iTd5xkfQofRrmEbi+R0d9VdTfbugqlryq2YB9Uuz1mM=; b=i2kZ3AvsZMvv/I055u+CdIVSsZQAIfY8rnHJrZ8dS9b2AinRZcDRrmKo9dwG3HrRC9 Yse8Dd0gF+HEd8VL8uZ4sJOcfVdQAr5MtvDrUF1kS047fm0Pgnz1vRDWFKNkYCnhyVNS ZQ9gZLUuskTo+pmTNdWKMY9/HdfkJJw7HhUjaWPEGDF4RoGnOJPTppr3EJwREJ7m7MPN XSMtBwJMQDIB5qNV7p6Owc5d8qITzqSmWXzL20tvY1XJAFvHdFcTb8+3PGIRTGHG981S hhMGM9o7bUMaBXoX3m5FGms/B1yWTdYSL10A/ejNdbjnKmcuaPxPvcqVehsShG3u2k1R 9cQA==
MIME-Version: 1.0
X-Received: by 10.60.170.20 with SMTP id ai20mr4941000oec.33.1364866115345; Mon, 01 Apr 2013 18:28:35 -0700 (PDT)
Received: by 10.76.22.130 with HTTP; Mon, 1 Apr 2013 18:28:35 -0700 (PDT)
In-Reply-To: <CACuKZqFayF+aZOhv3dJm2ds6YoU=Z+kDHNu2A467oHAzH2aDxQ@mail.gmail.com>
References: <CACuKZqFvJ5avoyZ6KT_nhjF6LBm4xKH5xdGTufL_a_CTsXWYyw@mail.gmail.com> <CAJE5ia8uHxD4j5x+P9tRdGxbz2OZed=1VvnEsoGrU6W=YqL3eg@mail.gmail.com> <CACuKZqFayF+aZOhv3dJm2ds6YoU=Z+kDHNu2A467oHAzH2aDxQ@mail.gmail.com>
Date: Mon, 1 Apr 2013 20:28:35 -0500
Message-ID: <CACuKZqHSeO50=NVJtqcr8n7_AOxRxBcadupG5eWzEeMcBOKgTA@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: multipart/alternative; boundary=bcaec5540980f8a55304d956a7a2
Cc: Pete Resnick <presnick@qti.qualcomm.com>, Barry Leiba <barryleiba@computer.org>, http-state <http-state@ietf.org>
Subject: Re: [http-state] Cookie path and trailing "/"
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 01:28:39 -0000

Never mind, there's already a bug -
https://bugzilla.mozilla.org/show_bug.cgi?id=537207

I agree with Dan Witte that it's probably not a big deal, usually a server
application will consistently use one of the two forms (if the application
uses non-"/" Paths at all).

Zhong Yu



On Mon, Apr 1, 2013 at 8:18 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:

> Cool, I'll file a bug to Firefox.
>
>
> On Mon, Apr 1, 2013 at 8:07 PM, Adam Barth <ietf@adambarth.com> wrote:
>
>> On Mon, Apr 1, 2013 at 6:01 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
>> > Hello cookie masters,
>> >
>> > In the follow example of an http response, two cookies are set which
>> differs in the trailing slash of the Path attribute
>> >
>> >     HTTP/1.1 200 OK
>> >     Set-Cookie: n=v1; Path=/abc
>> >     Set-Cookie: n=v2; Path=/abc/
>> >
>> > According to RFC6265, these are two distinct cookies. And cookie#2 is
>> not applicable to request-path "/abc".
>> >
>> > In my tests, IE and Chrome conform to these requirement. My question
>> is, are these requirement as intended?
>>
>> Yes.
>>
>> > What was the reason behind?
>>
>> Based on our testing at the time, it was the most widely implemented
>> behavior.
>>
>> > On Firefox the two cookies are also treated as distinct cookies;
>> however Firefox erroneously sends cookie#2 for request-path "/abc". Should
>> that be considered a bug?
>>
>> If Firefox changes its behavior to match the spec, it will be more
>> interoperable with other user agents, which seems like a good thing.
>>
>> Adam
>>
>
>