Re: [http-state] Assumed Vary: Cookie

Bjoern Hoehrmann <derhoermi@gmx.net> Fri, 21 November 2014 14:14 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B5B71AD439 for <http-state@ietfa.amsl.com>; Fri, 21 Nov 2014 06:14:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.976
X-Spam-Level:
X-Spam-Status: No, score=0.976 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=0.77, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LftlfCVXCsoW for <http-state@ietfa.amsl.com>; Fri, 21 Nov 2014 06:14:03 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B5F11A19ED for <http-state@ietf.org>; Fri, 21 Nov 2014 06:14:03 -0800 (PST)
Received: from netb ([82.113.121.238]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MKKaI-1XqB4n0P6k-001ikg; Fri, 21 Nov 2014 15:13:56 +0100
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 21 Nov 2014 15:13:56 +0100
Message-ID: <iffu6a5eljncqu5qpqc0uma3qqu3uh89ee@hive.bjoern.hoehrmann.de>
References: <CADnb78jHxhbRG7iTRxGpJt7dymL+V=P7qSKnrHcLcfjMpBQkCg@mail.gmail.com>
In-Reply-To: <CADnb78jHxhbRG7iTRxGpJt7dymL+V=P7qSKnrHcLcfjMpBQkCg@mail.gmail.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:drwSxjtg/lnHzNlnzQdMVeJGtv31tTNm/unuxIa4aUIWWAzOfE/ yOkcVDn/QqSgvfWsX0Yxr+WRvBk5YCoitcr0KHnrJYMvxI/6riSpTxur4lDr8GQfggOFtEH 5EmR97gu4EwX+STyLYse69N40lnUD8/Bmw69Ixp/YH9rEXr8OrWhFYifDI+d4ZJiE74m1qn fSAjBMV20wYQ6jQ3mnLiw==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/http-state/QfRfZlIrOyzwaAn0u3-KxDNAvBg
Cc: Boris Zbarsky <bzbarsky@mit.edu>, http-state@ietf.org
Subject: Re: [http-state] Assumed Vary: Cookie
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state/>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2014 14:14:08 -0000

* Anne van Kesteren wrote:
>RFC 6265 does not really explain the relationship to the HTTP cache
>and how this is somewhat special for cookies. In particular,
>implementations assume that a different value for the Cookie request
>header means the cache cannot be reused. Can errata be issued?
>
>For additional context:
>
>  http://lists.w3.org/Archives/Public/ietf-http-wg/2009AprJun/0464.html
>  https://bugzilla.mozilla.org/show_bug.cgi?id=1075297#c5

It seems that implementations vary in what assumptions they make about
server responses when sending or omitting a `Cookie` header in requests.
Even for the dominant web browsers there does not seem to be a common
reliable behavior, and I am sure there are non-browser caches that do
not assume `Vary: Cookie`. So it's not obvious to me what the document
should say on the matter.

(And as an aside, for the specific bug report above, it seems Chrome's
behavior is better than that of Firefox, but Mozilla does not seem in-
terested in aligning their implementation with Chrome in this regard.)
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/