Re: [http-state] [Technical Errata Reported] RFC6265 (3663)

Dave Thaler <> Wed, 10 July 2013 22:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E8B9221F9CDA for <>; Wed, 10 Jul 2013 15:07:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -100.467
X-Spam-Status: No, score=-100.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dyi5g09rwvPC for <>; Wed, 10 Jul 2013 15:07:24 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7D45921F9CCC for <>; Wed, 10 Jul 2013 15:07:19 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.717.3; Wed, 10 Jul 2013 22:07:12 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.717.3 via Frontend Transport; Wed, 10 Jul 2013 22:07:11 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 10 Jul 2013 22:07:11 +0000
Received: from ( by ( with Microsoft SMTP Server id; Wed, 10 Jul 2013 22:07:07 +0000
Received: from mail92-db9 (localhost []) by (Postfix) with ESMTP id 0495048011E for <>; Wed, 10 Jul 2013 22:07:08 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:; KIP:(null); UIP:(null); (null);; R:internal; EFV:INT
X-SpamScore: -24
X-BigFish: PS-24(zz98dI9371Ic89bh1454I542Ic85dh1432I1418Ide40hzz1f42h1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1033IL17326ah1954cbh172d07h8275bh8275dhz31h2a8h668h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1bceh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh9a9j34h1155h)
Received-SPF: softfail (mail92-db9: transitioning domain of does not designate as permitted sender) client-ip=;; ; ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(51444003)(52044002)(24454002)(51704005)(377454003)(13464003)(199002)(189002)(83072001)(77096001)(54356001)(54316002)(16601075003)(69226001)(74316001)(76576001)(76482001)(56776001)(47446002)(74876001)(53806001)(15188555002)(51856001)(15202345003)(76796001)(33646001)(49866001)(77982001)(59766001)(74662001)(63696002)(4396001)(56816003)(47736001)(16406001)(80022001)(46102001)(76786001)(47976001)(74366001)(66066001)(81342001)(65816001)(74706001)(31966008)(50986001)(79102001)(81542001)(74502001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB272;; CLIP:; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Received: from mail92-db9 (localhost.localdomain []) by mail92-db9 (MessageSwitch) id 1373494025943071_14032; Wed, 10 Jul 2013 22:07:05 +0000 (UTC)
Received: from (unknown []) by (Postfix) with ESMTP id E06F8340047; Wed, 10 Jul 2013 22:07:05 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 10 Jul 2013 22:07:03 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.16.329.3; Wed, 10 Jul 2013 22:07:02 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.731.11; Wed, 10 Jul 2013 22:07:00 +0000
Received: from ([]) by ([]) with mapi id 15.00.0731.000; Wed, 10 Jul 2013 22:06:59 +0000
From: Dave Thaler <>
To: 'Barry Leiba' <>
Thread-Topic: [http-state] [Technical Errata Reported] RFC6265 (3663)
Thread-Index: AQHOa7sntVkCaDRzOU+sK+oTCvibR5k6oD8AgAABf9CAAJNXAIAgKwkAgAACGWCAAzK2IA==
Date: Wed, 10 Jul 2013 22:06:59 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
x-forefront-prvs: 0903DD1D85
Content-Type: multipart/mixed; boundary="_002_9a2552b7ebe74621ae0fa7e5fbf78680BY2PR03MB269namprd03pro_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(51444003)(189002)(51704005)(377454003)(13464003)(24454002)(52044002)(199002)(66066001)(51856001)(54316002)(74316001)(74876001)(46102001)(56776001)(63696002)(20776003)(47976001)(69226001)(59766001)(50986001)(16601075003)(16676001)(81542001)(76796001)(77982001)(71186001)(76482001)(76786001)(74662001)(568964001)(49866001)(81342001)(77096001)(15202345003)(74366001)(15188555002)(80022001)(74502001)(76576001)(4396001)(33646001)(512934002)(83072001)(53806001)(74706001)(31966008)(54356001)(65816001)(56816003)(47736001)(79102001)(47446002)(6806004)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BN1BFFO11HUB032;; CLIP:; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0903DD1D85
Cc: "''" <>, 'Bjoern Hoehrmann' <>, "''" <>, 'RFC Errata System' <>
Subject: Re: [http-state] [Technical Errata Reported] RFC6265 (3663)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 10 Jul 2013 22:07:29 -0000

Based on my reading of
it seems that problems like the one I'm pointing out should still be Rejected if the
WG had consensus at the time on what the current design is.  As far as I know, that's the
case and hence an erratum appears to be the wrong way to track the "flaw" (or unexpected
behavior).   So while I've written a longer summary (attached), I'm not adding it into the errata system.

What I think is, however, reasonable in an errata is to point out that the current odd/inefficient
behavior was intended by the WG, and thus the reader should expect it.  I think that would be
a legitimate HFDU case under the argument that the current text causes confusion (it certainly
did for the Microsoft folks that caused me to file the erratum).

Suggested updated text you can edit in...

===<begin snip>===

Section 5.1.4 states:
>   A request-path path-matches a given cookie-path if at least one of
>   the following conditions holds:
>   o  The cookie-path and the request-path are identical.

The "identical" rule differs from the URI equivalence rule(s) in RFC 3986
sections 6.2 and 2.1 (e.g., "If two URIs differ only in the case of hexadecimal
digits used in percent-encoded octets, they are equivalent.")  The fact that
equivalent URIs have different cookies arguably violates the principle of
least astonishment.  To avoid significant confusion and prevent such surprise,
this fact should be noted so that it is at least not unexpected.

>   o  The cookie-path and the request-path are identical.
>   o  The cookie-path and the request-path are identical. Note that this
>        differs from the rules in RFC 3986 for equivalence of the path component,
>        and hence two equivalent paths can have different cookies.

===<end snip>===

If you can replace the original erratum text with the above, please do so.
If you cannot, feel free to append the above prefixed with some statement
to the effect that ABNF strings are case insensitive and so the statements about HEXDIG
were incorrect, and this text is a corrected summary of the issue.


-----Original Message-----
From: Dave Thaler 
Sent: Monday, July 8, 2013 1:53 PM
To: Barry Leiba; Adam Barth
Cc: Bjoern Hoehrmann; RFC Errata System;;;
Subject: RE: [http-state] [Technical Errata Reported] RFC6265 (3663)

Certainly the original issue as I phrased it is incorrect, so in that sense it's Rejected.
However, there is a functionality issue as I noted that results in unexpected behavior because two RFCs have differing definitions of equivalent.
The current RFCs do match the implementations, so it's really a design flaw in the RFCs not any bug in the implementations or doc per se.
I think the issue of unexpected behavior isn't an errata per se, it's a protocol "flaw" (in some sense) that should be noted somehow.
A HFDU errata would be one way to do that.  There may be other ways.

-----Original Message-----
From: [] On Behalf Of Barry Leiba
Sent: Monday, July 8, 2013 1:43 PM
To: Adam Barth
Cc: Dave Thaler; Bjoern Hoehrmann; RFC Errata System;;;
Subject: Re: [http-state] [Technical Errata Reported] RFC6265 (3663)

Where are we on this?  Adam, Dave... should I mark this "Rejected"?
Dave, do you still contend that this report is correct?  Or should some other change be proposed?


On Tue, Jun 18, 2013 at 5:29 AM, Adam Barth <>; wrote:
> On Mon, Jun 17, 2013 at 5:45 PM, Dave Thaler <>; wrote:
>> Thanks Bjoern.
>> Interesting, well in that case there may be an issue in the RFC 6265 algorithm for path matching.
>> That's because it requires comparison for "identical" and "ab", "AB", "aB", and "Ab" are not "identical".
>> So
>> are all "equivalent" in the language of RFC 3986, but not "identical" and hence a cookie on one will not match the others.
> The path-match algorithm does exactly what it says.  Even though RFC
> 3986 might say that those strings are equivalent in some sense 
> (perhaps as URIs?), the path-match algorithm in RFC 6265 treats them 
> differently.  In particularly, they're not identical and the 
> path-match algorithm will likely return "false" for one or more of 
> them.
>> It may still be worth having an errata noting the above issue, even if it's Hold For Document Update.
> As far as I can tell, the errata is incorrect.
> On Mon, Jun 17, 2013 at 6:04 PM, Dave Thaler <>; wrote:
>> I checked with one of the test teams at Microsoft and got this back:
>>> There is a gap in the RFCs 3986 and 6265. RFC 3986 talks about the 
>>> URI path and equivalence of encoded Unicode characters in the path section of the URI.
> I don't believe there is a gap.
>>> However, RFC 6265 section 5.1.4
>>> does not specifically state that the pre-fix match should be done on the unescaped URL path.
> RFC 6265 gives a complete description of how to perform a path-match.
> A compliant implementation will appear to operate as if it does 
> exactly what the specification says to do.  Given that RFC 6265 
> doesn't say to unescape the path, that means you ought not unescape 
> the path.
>>> All the browsers we tested against (IE, Chrome, Firefox) do this 
>>> case-sensitive prefix matching before sending the cookies to the other page.
> Indeed.
>>> For IIS applications created with Unicode characters, IIS converts 
>>> the escaped characters (like %0D%0C) to lower case, and they are 
>>> justified since the URI spec clearly calls out that they are equivalent.
> IIS is welcome to do that by the URI spec.  However, the strings are 
> not treated equivalently by RFC 6265.
>>> When one page re-directs to another in IIS application, the cookies 
>>> set for the first page are not presented to the application on the 
>>> other pages. This problem exists with the cookie handling by all the 
>>> browsers we tested against (IE, Chrome, Firefox). This is due to the gap I explained above.
> I don't see that as a problem.  All the implementations are 
> interoperating perfectly and matching the specification.  It sounds 
> like IIS has some undesirable behavior that its authors might want to 
> modify.  In any case, there's nothing to change about RFC 6265.  The 
> specification and the implementations are identical on this point.
> Adam
>> -----Original Message-----
>> From: Bjoern Hoehrmann []
>> Sent: Monday, June 17, 2013 5:36 PM
>> To: RFC Errata System
>> Cc:;; 
>>;; Dave 
>> Thaler;
>> Subject: Re: [http-state] [Technical Errata Reported] RFC6265 (3663)
>> * RFC Errata System wrote:
>>>HEXDIG is defined in [RFC5234], Appendix B.1 as
>>>  HEXDIG         =  DIGIT / "A" / "B" / "C" / "D" / "E" / "F"
>>>Note that lower case a-f are not legal.
>> As per RFC 5234:
>>    NOTE:
>>       ABNF strings are case insensitive and the character set for these
>>       strings is US-ASCII.
>>    Hence:
>>          rulename = "abc"
>>    and:
>>          rulename = "aBc"
>>    will match "abc", "Abc", "aBc", "abC", "ABc", "aBC", "AbC", and
>>    "ABC".
>> --
>> Björn Höhrmann · · 
>> Am Badedeich 7 · Telefon:
>> +49(0)160/4415681 ·
>> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 ·