Re: [http-state] Updated draft

Adam Barth <ietf@adambarth.com> Sat, 15 August 2009 23:43 UTC

Return-Path: <adam@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7AFC63A6AB7 for <http-state@core3.amsl.com>; Sat, 15 Aug 2009 16:43:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.867
X-Spam-Level:
X-Spam-Status: No, score=-1.867 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id skZUinbth25p for <http-state@core3.amsl.com>; Sat, 15 Aug 2009 16:42:57 -0700 (PDT)
Received: from mail-vw0-f196.google.com (mail-vw0-f196.google.com [209.85.212.196]) by core3.amsl.com (Postfix) with ESMTP id 76B193A68CC for <http-state@ietf.org>; Sat, 15 Aug 2009 16:42:53 -0700 (PDT)
Received: by vws34 with SMTP id 34so2039882vws.31 for <http-state@ietf.org>; Sat, 15 Aug 2009 16:42:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.111.6 with SMTP id q6mr3375570vcp.45.1250379776118; Sat, 15 Aug 2009 16:42:56 -0700 (PDT)
In-Reply-To: <alpine.DEB.2.00.0908152250410.18461@yvahk2.pbagnpgbe.fr>
References: <7789133a0908151008p35ff30e6w2761368fe70d41a6@mail.gmail.com> <alpine.DEB.2.00.0908152250410.18461@yvahk2.pbagnpgbe.fr>
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 15 Aug 2009 16:42:36 -0700
Message-ID: <7789133a0908151642w47c1dbf1x48268e657b0d71cc@mail.gmail.com>
To: Daniel Stenberg <daniel@haxx.se>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Updated draft
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Aug 2009 23:43:06 -0000

On Sat, Aug 15, 2009 at 2:06 PM, Daniel Stenberg<daniel@haxx.se> wrote:
> Section 2 "Terminology" describes how the domain matchin is made. I know
> this was like this in RFC2965 as well, but I find it to be a weird placement
> for that description. That's not terminology, it's rather text meant for
> section 6.4 in my opinion.

Yes.  I've added a TODO to move this to one of the conformance sections.

> In section 6.3 I found this text:
>
> "The user agent MUST evict a cookie ... if ... More than 50 cookies exist in
> the cookie store with the same domain field."
>
> Is that really a MUST? There's no fixed 50 cookies limit in curl at least
> and I would be surprised if all other HTTP clients would agree on this. May
> I suggest that to be written a MAY instead?

Done.  I have it on good authority that there exist sites that break
if you change this number.  However, I've softened the draft to make
50 only a suggestion.

> In section 6.4 there's a typo:
>
>   When the user agent generates an HTTP request for a particular URI,
>   the user agent SHOULD attach exactly one HTTP named Cookie if the
>
> insert 'header' after HTTP.

Fixed.

> I don't understand the section saying:
>
>   When generating a cookie-string from a URI with a "secure" scheme,
>   the user agent MUST set the SECURE flag to true.  Otherwise, the user
>   agent MUST set the SECURE flag to false.
>
> What 'flag' is this referring to? This section is for sending the Cookie:
> header and I would presume stored received cookies already are marked secure
> or not. Similar wording is used later but then speaks of "the HTTP flag".

Yeah, this is pretty clumsy.  I was trying to make the cooke selection
algorithm simpler, but it didn't work out well.  I've added a TODO to
fix this.

> The section about the sorting of the cookie-list. Do implementations really
> bother about in which order the cookies are matched? I don't see how that is
> important (and again, I know an implementation that doesn't care).

Yes.  The bit about sorting by path length is definitely required for
compatibility.  I remember reading some old bug reports about that.  I
suspect the bit about creation date is important too, although I don't
have concrete examples of sites that break.  I don't have a test case
written for the sorting yet, but I believe IE, Firefox, and Chrome do
this.  I haven't tested Safari or Opera.

> The text about "Update the last-access field of each cookie" is certainly
> not a MUST but could be a useful suggestion. Still I think it could be left
> out entirely.

That's the only text that gives semantics to the last-access field,
which is needed during eviction.

Adam