Re: [http-state] draft-ietf-httpstate-cookie-05 posted

"Yngve Nysaeter Pettersen" <yngve@opera.com> Tue, 16 March 2010 14:14 UTC

Return-Path: <yngve@opera.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2A1623A6984 for <http-state@core3.amsl.com>; Tue, 16 Mar 2010 07:14:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.111
X-Spam-Level:
X-Spam-Status: No, score=-5.111 tagged_above=-999 required=5 tests=[AWL=-1.112, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JoqUkIy9fFvX for <http-state@core3.amsl.com>; Tue, 16 Mar 2010 07:14:32 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id B40713A6941 for <http-state@ietf.org>; Tue, 16 Mar 2010 07:14:14 -0700 (PDT)
Received: from killashandra.oslo.osa (pat-tdc.opera.com [213.236.208.22]) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o2GEDwF9006544 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 16 Mar 2010 14:14:04 GMT
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
Organization: Opera Software
References: <5c4444771003071050r3475798co95cc192d1f2e8190@mail.gmail.com> <op.u9dpzpdoqrq7tp@acorna> <5c4444771003101823u25842652o33b49b2be81f4cfc@mail.gmail.com> <alpine.DEB.2.00.1003112201360.25452@tvnag.unkk.fr> <op.u9feulgkqrq7tp@acorna> <009401cac476$eb8c83c0$c2a58b40$@com> <5c4444771003151240h61a87c3fp9a1649d1163111ce@mail.gmail.com> <009a01cac489$47f0fda0$d7d2f8e0$@com> <5c4444771003151510n2264a33ct26f627a11b202b16@mail.gmail.com>
To: "Paul E. Jones" <paulej@packetizer.com>, "Adam Barth" <ietf@adambarth.com>
Date: Tue, 16 Mar 2010 15:14:09 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: "Yngve Nysaeter Pettersen" <yngve@opera.com>
Message-ID: <op.u9ny5vnavqd7e2@killashandra.oslo.osa>
In-Reply-To: <5c4444771003151510n2264a33ct26f627a11b202b16@mail.gmail.com>
User-Agent: Opera Mail/10.50 (Win32)
Cc: Daniel Stenberg <daniel@haxx.se>, http-state <http-state@ietf.org>
Subject: Re: [http-state] draft-ietf-httpstate-cookie-05 posted
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: yngve@opera.com
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2010 14:14:33 -0000

On Mon, 15 Mar 2010 23:10:20 +0100, Adam Barth <ietf@adambarth.com> wrote:

> Yngve, was your recommendation motivated by the behavior of any
> particular user agent?

No.

However, I've just confirmed that many of compilers for the device  
(non-desktop) platforms we are delivering on are using a 32 bit time_t.

At the very least this could indicate that other clients are also limited
by 32 bit, and might using conversion functions that return an error value
instead of an upper limit date when the year is outside the allowed range.
At best this could mean that the cookie is converted to a session cookie.

Opera is currently enforcing an upper limit of 2036 for dates on the form
used for Expires (I have filed a bug on that). There is no such limit for
max-age, except the max value that can be represented.

I wonder if the Expires/Max-age should discourage using values more than a
few years into the future. One thing is that it is unlikely that the
client will exist as long (but that to the end of client existence aspect
is probably what the designer want); another is that the server will have
to maintain a database for those sessions for a very long time, possibly
leading to a lot of storage overhead; a third is that quite a few people
frown upon the use of long-lasting cookies. Maybe a recommendation of "not
more than" 2 or 3 years should be added as a best-practice?

-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************