Re: [http-state] One last attempt to get y'all to like the idea of a non-inclusive Set-Cookie design
Mark Pauley <mpauley@apple.com> Thu, 18 November 2010 22:46 UTC
Return-Path: <mpauley@apple.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 11C2A3A689F for <http-state@core3.amsl.com>; Thu, 18 Nov 2010 14:46:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S1wyi0nR08id for <http-state@core3.amsl.com>; Thu, 18 Nov 2010 14:46:14 -0800 (PST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 1227A3A679C for <http-state@ietf.org>; Thu, 18 Nov 2010 14:46:14 -0800 (PST)
Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out4.apple.com (Postfix) with ESMTP id 7FC8EBE403F8; Thu, 18 Nov 2010 14:47:02 -0800 (PST)
X-AuditID: 1180711d-b7b82ae0000060a0-43-4ce5ace66072
Received: from paulma.apple.com (paulma.apple.com [17.203.12.155]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by relay13.apple.com (Apple SCV relay) with SMTP id FB.1D.24736.6ECA5EC4; Thu, 18 Nov 2010 14:47:02 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Mark Pauley <mpauley@apple.com>
In-Reply-To: <AANLkTinPC7GtaS_Cx6G-HZGkM6JD+SgaGY5mApSFjy4M@mail.gmail.com>
Date: Thu, 18 Nov 2010 14:47:02 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <F3679DDF-1026-4437-B5E8-43D3A90AA55E@apple.com>
References: <AANLkTinfDu8SEJC8yd+q8dCOMOROpsBtOcgos4kTs=y3@mail.gmail.com> <B558AA9B-6879-4730-B85F-AF9C06F60399@apple.com> <AANLkTinPC7GtaS_Cx6G-HZGkM6JD+SgaGY5mApSFjy4M@mail.gmail.com>
To: Paul James Hammant <phammant@thoughtworks.com>
X-Mailer: Apple Mail (2.1082)
X-Brightmail-Tracker: AAAAAA==
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] One last attempt to get y'all to like the idea of a non-inclusive Set-Cookie design
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 22:46:15 -0000
On Nov 18, 2010, at 1:21 PM, Paul James Hammant wrote: > So my follow up blog entry isn't suggesting regex (and its 'two > problems') anymore, it is a comma separated bang (!) prefixed > expression that looks like the current path concept. > > Also the follow-up blog entry is about pitching the need of mom and > pop sites who are not going to get into the business of CDNs. > > Lastly, in terms of URLs dynamic resources are nearly always mounted > at root: examples.com/buyIt?.. rather than in a directory like > examples.com/dynamic/buyIt because the end users see this URL (at > least if they are reasonably technical and gaze up). > > I'm not going to respond to the implicit suggest that the cookie spec > should be parked broken forever :-P > > Well thanks for listening anyway :) Totally! It's just that I have never heard anyone clamoring for this before. Most small websites would do better to not set large cookies in general. A minimal cookie is just a primary key for your session table in the application database. As Adam mentioned earlier, 12 bytes is probably great for that a session key. Therefore: Cookie: s=123456789012 I don't really think it's a big deal compared to the fundamental problems of the cookie protocol / mechanism. I would rather not spend time spit-polishing a beater here. Most browsers probably waste more space in their user-agent string than that whole header would require. _Mark mpauley@apple.com
- [http-state] One last attempt to get y'all to lik… Paul James Hammant
- Re: [http-state] One last attempt to get y'all to… Mark Pauley
- Re: [http-state] One last attempt to get y'all to… Paul James Hammant
- Re: [http-state] One last attempt to get y'all to… Mark Pauley