Re: [http-state] Ticket 5: Cookie ordering

Daniel Stenberg <> Tue, 09 February 2010 09:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3AFC03A6E79 for <>; Tue, 9 Feb 2010 01:15:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zIoDb0kAUYZx for <>; Tue, 9 Feb 2010 01:15:15 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4BDBE3A6A3D for <>; Tue, 9 Feb 2010 01:15:13 -0800 (PST)
Received: from ( []) by (8.14.3/8.14.3/Debian-9) with ESMTP id o199GEeb002334; Tue, 9 Feb 2010 10:16:15 +0100
Date: Tue, 9 Feb 2010 10:16:14 +0100 (CET)
From: Daniel Stenberg <>
To: Adam Barth <>
In-Reply-To: <>
Message-ID: <>
References: <> <op.u7mkruzjvqd7e2@killashandra.oslo.osa> <> <op.u7nnk8uyvqd7e2@killashandra.oslo.osa> <op.u7tgx5y4vqd7e2@killashandra.oslo.osa> <007901caa8de$a283e780$e78bb680$@com> <>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: http-state <>
Subject: Re: [http-state] Ticket 5: Cookie ordering
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 09 Feb 2010 09:15:18 -0000

On Mon, 8 Feb 2010, Adam Barth wrote:

> We have to send multiple cookies with the same name because that's what user 
> agents do today.  We're not permitted to alter the syntax of the protocol in 
> Phase 1.  In Phase 2, these sorts of changes will be on the table.

As this topic twists on, we all see that no server can rely on any specific 
order on cookies that are sent by clients, so thus we can in fact discourage 
the use of multiple cookies with the same name as there's basically no way for 
a server to know in which order it'll get the cookies. We can _perhaps_ find a 
sort order we can say clients should use, but as seen here that wouldn't 
change how a large amount of existing clients behave.

Also, allow me to re-iterate that the 5 major browsers are not even close to 
100% of the cookie using HTTP clients and we can find several other widely 
used implementations that will send the cookies in a different sort order than 
the big browsers.