Re: [http-state] non-ASCII cookie values (was Re: Closing Ticket 3: Public Suffixes)

Julian Reschke <> Mon, 01 February 2010 18:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 67D1F3A6988 for <>; Mon, 1 Feb 2010 10:44:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.58
X-Spam-Status: No, score=-4.58 tagged_above=-999 required=5 tests=[AWL=-1.981, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id klU-qG8gzlXk for <>; Mon, 1 Feb 2010 10:44:52 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 0E36F3A686A for <>; Mon, 1 Feb 2010 10:44:51 -0800 (PST)
Received: (qmail invoked by alias); 01 Feb 2010 18:44:58 -0000
Received: from (EHLO []) [] by (mp015) with SMTP; 01 Feb 2010 19:44:58 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/LvA54kXLL5LY7ou5bB3PICJr0Xc4OG1cI4ZQI5v yTQqziOA2sDCFX
Message-ID: <>
Date: Mon, 01 Feb 2010 19:44:31 +0100
From: Julian Reschke <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: Gecko/20060516 Thunderbird/ Mnenhy/
MIME-Version: 1.0
To: Adam Barth <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.62
Cc: eric bianchetti <>,
Subject: Re: [http-state] non-ASCII cookie values (was Re: Closing Ticket 3: Public Suffixes)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Feb 2010 18:44:53 -0000

Adam Barth wrote:
> On Sun, Jan 31, 2010 at 2:37 PM, eric bianchetti
> <> wrote:
>> That part does not please :
>> The cookie-value is opaque to the user agent and MAY be anything the
>>    origin server chooses to send, possibly in a server-selected
>>    printable ASCII encoding.
>> Livng and working in a non ASCII country, I tend to think we shall prepare for the coming of the other languages (Thai, Chines, Korean ....), IF a person get a cookie from a Thai server , can we securely suppose that person(computer) went to a thai site, and that person is using Thai on a daily basis? (Replace Thai by any multi bytes languages).
> The part of that sentence after the "possibly" doesn't haven any
> normative force (it's just advice that the server can take or leave).
> I can remove the reference to ASCII here if you like.  Julian please
> correct me if I'm wrong, but I believe that HTTP headers typically
> contain only ASCII characters.

I think the current thinking is: "it is opaque data, but for anything 
non-ASCII you need to negotiate it out-of-band between client and 
server, and furthermore intermediaries and libraries may screw things up".

So if the cookie is supposed to carry information that can't directly be 
encoded in ASCII, the best way is to use an encoding on top of it, such 
as base64.

BR, Julian