Re: [http-state] Summary of discussion of Ticket 5 (Cookie ordering)

Dan Winship <> Fri, 16 April 2010 14:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AF5423A689F for <>; Fri, 16 Apr 2010 07:32:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.335
X-Spam-Status: No, score=0.335 tagged_above=-999 required=5 tests=[BAYES_50=0.001, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bAbJc9I0pFuT for <>; Fri, 16 Apr 2010 07:32:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C272928C13A for <>; Fri, 16 Apr 2010 07:31:26 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPA id 86CA9802AE; Fri, 16 Apr 2010 10:31:19 -0400 (EDT)
Message-ID: <>
Date: Fri, 16 Apr 2010 10:31:16 -0400
From: Dan Winship <>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20100330 Fedora/3.0.4-1.fc13 Thunderbird/3.0.4
MIME-Version: 1.0
To: Achim Hoffmann <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: http-state <>
Subject: Re: [http-state] Summary of discussion of Ticket 5 (Cookie ordering)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 16 Apr 2010 14:32:57 -0000

On 04/16/2010 06:11 AM, Achim Hoffmann wrote:
> According application security, I already explained that web applications which
> rely on the ordering somehow, are prone to some attacks.

Right, everyone agrees with that.

> As there is no common behaviour according this ordering in current browsers, I'd
> recommend that the spec does not recommend the cookie ordering. This is not wrong
> and would force web application developers to implement proper measures:

But there was already no recommended (total) ordering before, and yet
some web apps did depend on IE's ordering. And the sort of developers
who are going to write code that would depend on the exact ordering of
cookies are the sort of developers who aren't going to read the spec
anyway, so saying "don't assume an ordering" won't actually stop anyone.
(Though, yes, we should say it anyway.)

Now, if it's true that there isn't a consistent ordering among the major
browsers (which was something we didn't know at the start of the
debate), then maybe that will be enough to solve the problem; 5 years
ago people would test against just IE and call it good (and then blame
Firefox if the site didn't work with Firefox), but they can't really get
away with that any more.

-- Dan