IETF Logo Mail Archive

Re: [http-state] Comments on draft-ietf-httpstate-cookie-08

"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Sat, 29 May 2010 17:54 UTC

Return-Path: <yngve@opera.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DFA723A6896 for <http-state@core3.amsl.com>; Sat, 29 May 2010 10:54:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0nZLrswJqPsa for <http-state@core3.amsl.com>; Sat, 29 May 2010 10:54:23 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 8F5F83A6862 for <http-state@ietf.org>; Sat, 29 May 2010 10:54:23 -0700 (PDT)
Received: from acorna (30.169.202.84.customer.cdi.no [84.202.169.30]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o4THs83R013859 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 29 May 2010 17:54:09 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: Adam Barth <ietf@adambarth.com>
References: <op.vdfzz8lovqd7e2@killashandra.oslo.osa> <AANLkTikwyQZo-z_U_n3N8c05tY30gHUtIBqEpMg9O4oI@mail.gmail.com>
Date: Sat, 29 May 2010 19:54:00 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.vdhaoaqzqrq7tp@acorna>
In-Reply-To: <AANLkTikwyQZo-z_U_n3N8c05tY30gHUtIBqEpMg9O4oI@mail.gmail.com>
User-Agent: Opera Mail/10.53 (Win32)
Cc: "http-state@ietf.org" <http-state@ietf.org>
Subject: Re: [http-state] Comments on draft-ietf-httpstate-cookie-08
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 May 2010 17:54:25 -0000

On Sat, 29 May 2010 18:51:41 +0200, Adam Barth <ietf@adambarth.com> wrote:

> I'll reply to your full email in detail later, but another note:
>
> On Fri, May 28, 2010 at 6:05 PM, Yngve Nysaeter Pettersen
> <yngve@opera.com> wrote:
>> IMO the specification should specifically comment on these issues, and
>> preferably allow clients to discard cookies with quotes that does not  
>> match
>> the quoted-string syntax,
>
> User agents already have the option to discard any cookie for any
> reason.  Adding this text to the spec would be redundant.

I think it may still be useful to point out specific issues where such  
discarding policies are used automatically. My impression of that text is  
that it focus more on cleanup and user controlled filtering, rather than  
what policies the client may have implemented. I suspect that most  
administrators will read it that way too. For example, the draft  
specifically mentions public suffix as a reason why a client can discard a  
cookie.

>> Perhaps one way to do that is to
>> specifically say that the result of using quotes in this fashion is
>> undefined?
>
> Leaving things like this undefined hurts interoperability.

The situation for this particular value syntax is already undefined, and  
while it is a corner case, it can have unanticipated effects, particularly  
in combination with different cookie ordering algorithms. Putting the  
server administrators on notice about the issue should hopefully increase  
interoperability because they can then avoid the problematic cases.

If we are going to document cookies as used on the Internet, then I think  
that includes pointing out the areas that should be avoided, particularly  
the ones where the results will be undefined. That should not just be done  
by how the syntax is defined, but also directly mentioning them.

This information can be mentioned either as notes (or Notes) in the  
definitions themselves, or collected in a separate "Implementation  
pitfalls"-section.

-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

v2.23.0 | Report a Bug | By Email