Re: [http-state] Is this an omission in the parser rules of draft-ietf-httpstate-cookie-21?

Adam Barth <ietf@adambarth.com> Fri, 04 February 2011 03:11 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 740563A6A17 for <http-state@core3.amsl.com>; Thu, 3 Feb 2011 19:11:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.713
X-Spam-Level:
X-Spam-Status: No, score=-3.713 tagged_above=-999 required=5 tests=[AWL=-0.736, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tp0RyGWruhKh for <http-state@core3.amsl.com>; Thu, 3 Feb 2011 19:11:02 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id B01183A6A16 for <http-state@ietf.org>; Thu, 3 Feb 2011 19:11:01 -0800 (PST)
Received: by gyd12 with SMTP id 12so850801gyd.31 for <http-state@ietf.org>; Thu, 03 Feb 2011 19:14:25 -0800 (PST)
Received: by 10.150.189.21 with SMTP id m21mr13659928ybf.130.1296789206901; Thu, 03 Feb 2011 19:13:26 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id k1sm780749ybj.0.2011.02.03.19.13.24 (version=SSLv3 cipher=RC4-MD5); Thu, 03 Feb 2011 19:13:25 -0800 (PST)
Received: by iym1 with SMTP id 1so1306556iym.31 for <http-state@ietf.org>; Thu, 03 Feb 2011 19:13:24 -0800 (PST)
Received: by 10.231.10.199 with SMTP id q7mr3255331ibq.39.1296789204155; Thu, 03 Feb 2011 19:13:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.35.13 with HTTP; Thu, 3 Feb 2011 19:12:54 -0800 (PST)
In-Reply-To: <20110203195457.f00013ceab8fb1928885c5c172fbfd4a.d7bc172fae.wbe@email00.secureserver.net>
References: <20110203195457.f00013ceab8fb1928885c5c172fbfd4a.d7bc172fae.wbe@email00.secureserver.net>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 3 Feb 2011 19:12:54 -0800
Message-ID: <AANLkTim1rSdg_JmWhEihJROmN+uZABFcPtH-Ngup0WHF@mail.gmail.com>
To: Remy Lebeau <remy@lebeausoftware.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: http-state@ietf.org
Subject: Re: [http-state] Is this an omission in the parser rules of draft-ietf-httpstate-cookie-21?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Feb 2011 03:11:03 -0000

On Thu, Feb 3, 2011 at 6:54 PM, Remy Lebeau <remy@lebeausoftware.org>; wrote:
>
> -------- Original Message --------
> Subject: Re: [http-state] Is this an omission in the parser rules of
> draft-ietf-httpstate-cookie-21?
> From: Adam Barth <ietf@adambarth.com>;
> Date: Thu, February 03, 2011 12:18 pm
> To: Remy Lebeau <remy@lebeausoftware.org>;
> Cc: http-state@ietf.org
>
>> It's not an omission.  The use of quotation mark for cookie values in
>> RFC 2109 do not reflect how cookie behave in actual use.
>
> Just a minute ago, while logging in to Yahoo webmail, I noticed the
> server issue a cookie that uses quotations, and my IE 8 webbrowser sent
> back 3 cookies that used quotations.  See below.  Quotes in cookies are
> a real-world possibility, so the draft should allow for their presence,
> at least for user agents that parse cookies, if not in origin servers
> that generate them.

I should be more clear.  Quotation marks are not special characters in
cookie values.  They have no effect on how cookies are processed.  Any
use of quotation marks by servers is pure superstition, just like
using a leading "." before the value of the Domain attribute.

Adam