[http-state] Netscape Cookie spec allowed chars
=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 23 February 2011 23:03 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF9A53A6920 for <http-state@core3.amsl.com>; Wed, 23 Feb 2011 15:03:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.432
X-Spam-Level:
X-Spam-Status: No, score=-102.432 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qMYbvkvEz+Ec for <http-state@core3.amsl.com>; Wed, 23 Feb 2011 15:03:01 -0800 (PST)
Received: from oproxy1-pub.bluehost.com (oproxy1-pub.bluehost.com [66.147.249.253]) by core3.amsl.com (Postfix) with SMTP id F11D03A688E for <http-state@ietf.org>; Wed, 23 Feb 2011 15:02:59 -0800 (PST)
Received: (qmail 19606 invoked by uid 0); 23 Feb 2011 23:03:48 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com.bluehost.com with SMTP; 23 Feb 2011 23:03:47 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=OeaBoYYyTFPr+Qz+6uea5SQaXVJkFuZsQGTDL1KTM8KaOJr08X/prLoTmcFdqKfZ93OosXP/3xg+D2eTkJtpzZA+HlnFbB1CvmnTD+NdEWB0bowqoHy43hKXtRHNSNKe;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.169]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PsNkJ-0002MT-GV for http-state@ietf.org; Wed, 23 Feb 2011 16:03:47 -0700
Message-ID: <4D659252.3090407@KingsMountain.com>
Date: Wed, 23 Feb 2011 15:03:46 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: IETF HTTP State WG <http-state@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [http-state] Netscape Cookie spec allowed chars
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2011 23:03:02 -0000
Roy said..
>
> Therefore, I would like you to change the ABNF so that it
> reflects the reality of (Set-)Cookie usage on the Internet,
> ...
> Changing it to
>
> cookie-value = %x21-2B / %x2D-3A / %x3C-7E / %x80-FF
>
> or just the minimum
>
> cookie-value = %x21-2B / %x2D-3A / %x3C-7E
>
> returns the definition to the original Netscape spec (at
> least in the first case)
Just so we all know for sure what the paraphrased (above) primary source
actually says, here's the as-is spec being cited and a brief analysis of what
it means...
[NSCP-COOKIE] "PERSISTENT CLIENT STATE HTTP COOKIES
Preliminary Specification - Use with caution"...
<http://web.archive.org/web/20020803110822/http://wp.netscape.com/newsref/std/cookie_spec.html>
###
Syntax of the Set-Cookie HTTP Response Header
This is the format a CGI script would use to add to the HTTP
headers a new piece of data which is to be stored by the client
for later retrieval.
Set-Cookie: NAME=VALUE; expires=DATE;
path=PATH; domain=DOMAIN_NAME; secure
NAME=VALUE
This string is a sequence of characters excluding semi-colon,
comma and white space. If there is a need to place such data
in the name or value, some encoding method such as URL style
%XX encoding is recommended, though no encoding is defined or
required.
This is the only required attribute on the Set-Cookie header.
###
Operative statement from the above quote..
"..characters excluding semi-colon, comma and white space."
(note also that the text above is only explicitly referring to the "NAME=VALUE"
production; it apparently has been commonly interpreted as referring to the
entire value string of the "Set-Cookie" HTTP response header; note also that it
apparently assumes "characters" means "octets", and when it says "whitespace"
it is meaning the set of chars from the ASCII charset typically referred to as
that (although that isn't necessarily a rigidly defined set [WS]))
As noted in the table below, the above operative statement has some
ambiguities. For example, it doesn't explicitly include the high-bit-set chars
%x80-FF, though apparently many have assumed it does.
----------------------------------------
Original Netscape Cookie spec
Allowed Characters ( [ASCII] (assumed) )
----------------------------------------
Decimal Hex Symbol(s)
----------------------------------------
; %x00-20 -- non-printing control chars (excluded ?)
; and whitespace ( BS, HT, LF, VT, FF, CR, SP
; all excluded ? correct list of
; "whitespace" chars as assumed by
; [NSCP-COOKIE] authors ? )
; %x21-2B:
33-43 21-2B ! " # $ % & ' ( ) * +
; 44 2C , (excluded)
; %x2D-3A:
45-47 2D-2F - . /
48-57 30-39 0 - 9
58 3A :
; 59 3B ; (excluded)
; %x3C-7E:
60-64 3C-40 < = > ? @
65-90 41-5A A-Z
91-96 5B-60 [ \ ] ^ _ `
97-122 61-7A a-z
123-126 7B-7E { | } ~
; 127 7F DEL (excluded ?)
; %x80-FF:
128-256 80-FF high-bit-set chars (included ?)
See also:
[ASCII] ASCII (American Standard Code for Information Interchange) Code
http://www.december.com/html/spec/asciiall.html
[WS] Whitespace character
https://secure.wikimedia.org/wikipedia/en/wiki/Whitespace_character
---
end