Re: [http-state] consensus call: cookie server conformance

Dan Winship <dan.winship@gmail.com> Fri, 28 January 2011 21:57 UTC

Return-Path: <dan.winship@gmail.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A55B73A697B for <http-state@core3.amsl.com>; Fri, 28 Jan 2011 13:57:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.064
X-Spam-Level:
X-Spam-Status: No, score=-3.064 tagged_above=-999 required=5 tests=[AWL=-1.387, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FPfip4JaOM73 for <http-state@core3.amsl.com>; Fri, 28 Jan 2011 13:57:57 -0800 (PST)
Received: from mysterion.org (li168-117.members.linode.com [173.230.128.117]) by core3.amsl.com (Postfix) with ESMTP id F37A53A6975 for <http-state@ietf.org>; Fri, 28 Jan 2011 13:57:56 -0800 (PST)
Received: from desktop.home.mysterion.org (c-76-97-71-164.hsd1.ga.comcast.net [76.97.71.164]) by mysterion.org (Postfix) with ESMTPSA id ACC4934A13; Fri, 28 Jan 2011 17:01:02 -0500 (EST)
Message-ID: <4D433C9A.7010203@gmail.com>
Date: Fri, 28 Jan 2011 17:00:58 -0500
From: Dan Winship <dan.winship@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Thunderbird/3.1.7
MIME-Version: 1.0
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4D41FA83.5040302@KingsMountain.com>
In-Reply-To: <4D41FA83.5040302@KingsMountain.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: IETF HTTP State WG <http-state@ietf.org>
Subject: Re: [http-state] consensus call: cookie server conformance
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 21:57:57 -0000

On 01/27/2011 06:06 PM, =JeffH wrote:
>> First, I proposed that we could modify Section 1 as follows:
>>
>>    Compliant servers MUST limit themselves to the well-behaved profile
>>    defined in Section 4 when generating cookies.
>>
>> Second, I proposed that we could then simplify Section 4 as follows:
>>
>>    This section describes the syntax and semantics of a well-behaved
>>    profile of the Cookie and Set-Cookie headers.

-1, because Section 4 says "cookie-value=token", which is annoying
(since it prohibits both base64 and URI encoding, both of which are
commonly used) and unnecessary for interoperability (both existing and
future clients will DTRT with non-token values) and widely violated by
real-world servers that would otherwise be considered well-behaved.

I suppose I could probably be happy with

    cookie-value  = token | base64-string
    base64-string = <a base64 string, defined in [RFC4648], Section 4>

and then change the later Base 16 reference back to Base 64. This still
declares lots of perfectly-interoperable servers "non-compliant", but it
at least provides them with a sane way out.

-- Dan