Re: [http-state] Updated draft

Daniel Stenberg <daniel@haxx.se> Sat, 15 August 2009 21:06 UTC

Return-Path: <daniel@haxx.se>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E8103A6A89 for <http-state@core3.amsl.com>; Sat, 15 Aug 2009 14:06:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.887
X-Spam-Level:
X-Spam-Status: No, score=-2.887 tagged_above=-999 required=5 tests=[AWL=-0.638, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tLsRUH8FgP4g for <http-state@core3.amsl.com>; Sat, 15 Aug 2009 14:06:01 -0700 (PDT)
Received: from kluster1.contactor.se (kluster1.contactor.se [91.191.140.11]) by core3.amsl.com (Postfix) with ESMTP id AB9943A682B for <http-state@ietf.org>; Sat, 15 Aug 2009 14:06:00 -0700 (PDT)
Received: from linux2.contactor.se (linux2.contactor.se [91.191.140.14]) by kluster1.contactor.se (8.13.8/8.13.8/Debian-3) with ESMTP id n7FL61DP018350; Sat, 15 Aug 2009 23:06:01 +0200
Date: Sat, 15 Aug 2009 23:06:01 +0200
From: Daniel Stenberg <daniel@haxx.se>
X-X-Sender: dast@linux2.contactor.se
To: Adam Barth <ietf@adambarth.com>
In-Reply-To: <7789133a0908151008p35ff30e6w2761368fe70d41a6@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.0908152250410.18461@yvahk2.pbagnpgbe.fr>
References: <7789133a0908151008p35ff30e6w2761368fe70d41a6@mail.gmail.com>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Updated draft
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Aug 2009 21:06:02 -0000

On Sat, 15 Aug 2009, Adam Barth wrote:

> http://www.ietf.org/id/draft-abarth-cookie-01.txt
>
> As always, comment appreciated.

A few comments:

Section 2 "Terminology" describes how the domain matchin is made. I know this 
was like this in RFC2965 as well, but I find it to be a weird placement for 
that description. That's not terminology, it's rather text meant for section 
6.4 in my opinion.

In section 6.3 I found this text:

"The user agent MUST evict a cookie ... if ... More than 50 cookies exist in 
the cookie store with the same domain field."

Is that really a MUST? There's no fixed 50 cookies limit in curl at least and 
I would be surprised if all other HTTP clients would agree on this. May I 
suggest that to be written a MAY instead?

In section 6.4 there's a typo:

    When the user agent generates an HTTP request for a particular URI,
    the user agent SHOULD attach exactly one HTTP named Cookie if the

insert 'header' after HTTP.

I don't understand the section saying:

    When generating a cookie-string from a URI with a "secure" scheme,
    the user agent MUST set the SECURE flag to true.  Otherwise, the user
    agent MUST set the SECURE flag to false.

What 'flag' is this referring to? This section is for sending the Cookie: 
header and I would presume stored received cookies already are marked secure 
or not. Similar wording is used later but then speaks of "the HTTP flag".

The section about the sorting of the cookie-list. Do implementations really 
bother about in which order the cookies are matched? I don't see how that is 
important (and again, I know an implementation that doesn't care).

The text about "Update the last-access field of each cookie" is certainly not 
a MUST but could be a useful suggestion. Still I think it could be left out 
entirely.

-- 

  / daniel.haxx.se