IETF Logo Mail Archive

Re: [http-state] Make draft-abarth-cookie-06 a working group item?

Adam Barth <ietf@adambarth.com> Sat, 12 December 2009 04:47 UTC

Return-Path: <adam@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8509C3A67C1 for <http-state@core3.amsl.com>; Fri, 11 Dec 2009 20:47:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.865
X-Spam-Level:
X-Spam-Status: No, score=-1.865 tagged_above=-999 required=5 tests=[AWL=0.112, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8PnK2FMwUIPx for <http-state@core3.amsl.com>; Fri, 11 Dec 2009 20:47:27 -0800 (PST)
Received: from mail-px0-f171.google.com (mail-px0-f171.google.com [209.85.216.171]) by core3.amsl.com (Postfix) with ESMTP id B38BE3A679F for <http-state@ietf.org>; Fri, 11 Dec 2009 20:47:27 -0800 (PST)
Received: by pxi1 with SMTP id 1so1604080pxi.29 for <http-state@ietf.org>; Fri, 11 Dec 2009 20:47:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.142.60.3 with SMTP id i3mr1320499wfa.147.1260593233053; Fri, 11 Dec 2009 20:47:13 -0800 (PST)
In-Reply-To: <7789133a0912111604q2a9edcf7g1bfb394cfd4d4eae@mail.gmail.com>
References: <7789133a0912111441t38d8142frecfc149e2d8464fd@mail.gmail.com> <alpine.DEB.2.00.0912120005060.16918@tvnag.unkk.fr> <7789133a0912111604q2a9edcf7g1bfb394cfd4d4eae@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 11 Dec 2009 20:45:46 -0800
Message-ID: <7789133a0912112045m14a83eam40603f1afa588a94@mail.gmail.com>
To: Daniel Stenberg <daniel@haxx.se>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Make draft-abarth-cookie-06 a working group item?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2009 04:47:28 -0000

On Fri, Dec 11, 2009 at 4:04 PM, Adam Barth <ietf@adambarth.com> wrote:
> On Fri, Dec 11, 2009 at 3:48 PM, Daniel Stenberg <daniel@haxx.se> wrote:
>> Here's some additional random thoughts on the current version:
>>
>> Max-age is now specified to be:
>>
>>      The value of the Max-Age attribute represents the maximum
>>      lifetime of the cookie, measured in seconds from the moment the
>>      user agent receives the cookie
>>
>> RFC2109 and 2965 that both include max-age defined Max-age to be:
>>
>>      The Max-Age attribute defines the lifetime of the cookie, in seconds.
>
> I'm happy to use the RFC2109 and 2965 working if you think that's clearer.

I adapted some text from HTTPbis, which equivocates on this point:

[[
The Max-Age attribute indicates that
the cookie MUST NOT be returned to the server when its age is
greater than the specified number of seconds.
]]

In general, I'd like to align the spec with HTTPbis wherever possible.

>> I have some problems with this phrase in 4.2.1:
>>
>>   NOTE: If the server supplies a Set-Cookie header that does not
>>   conform to the grammar in Section [TODO], the user agent might not
>>   supply a Cookie header that conforms to the preceding grammar.
>>
>> Is that a way to say that if the server violates the spec, so can the
>> client?
>
> I need to make this clearer.  What this means is if the server
> includes a funny character in a cookie name (like +) that is outside
> the grammar, then the client will return that value even though it
> doesn't conform to the grammar.
>
>> I don't see any reason to A) offer the client a way to not adhere to
>> the spec and B) imply that the client would deal with improplerly formatted
>> cookies in any particular way that isn't even following this spec! But of
>> course, I'm not sure what the [TODO] is so I might have misunderstood this
>> paragraph.
>
> The intent is as follows:
>
> 1) A user agent should always follow the rules in Section 5.
> 2) If the server follows the rules in Section 4, then everything is
> nice and sane and works as described in Section 4.
> 3) If the server doesn't follow the rules in Section 4, then you need
> to read Section 5 to figure out what's going to happen.

Is this text clearer?

[[
NOTE: If the server supplies Set-Cookie headers that conform
to the grammar in this section, then the user agent will return a
Cookie header that conforms to the grammar above.  However, if the
user agent receives a Set-Cookie header that deviates from the
grammar in this section, the requirements in the next section might
cause the user agent to return a Cookie header that deviates from
the preceding grammar.
]]

>> And for the sake of it, I'll maintain that I am against section 5.3 rule
>> number 2. I argue that both those cookie sort order keys are not a MUST. I
>> just cannot agree with that.
>
> Keep in mind that this draft is just the starting point for
> discussion.  I expect there will be many more drafts to come where we
> can iron out these issues.

I've added a TODO about this so we don't forget.

Adam

v2.23.0 | Report a Bug | By Email