Re: [http-state] Is this an omission in the parser rules of draft-ietf-httpstate-cookie-21?

Adam Barth <ietf@adambarth.com> Fri, 04 February 2011 08:29 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F50C3A6909 for <http-state@core3.amsl.com>; Fri, 4 Feb 2011 00:29:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.705
X-Spam-Level:
X-Spam-Status: No, score=-3.705 tagged_above=-999 required=5 tests=[AWL=-0.728, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NEZy8VXpXSPY for <http-state@core3.amsl.com>; Fri, 4 Feb 2011 00:29:13 -0800 (PST)
Received: from mail-qw0-f66.google.com (mail-qw0-f66.google.com [209.85.216.66]) by core3.amsl.com (Postfix) with ESMTP id DB1FB3A689A for <http-state@ietf.org>; Fri, 4 Feb 2011 00:29:11 -0800 (PST)
Received: by qwk3 with SMTP id 3so206075qwk.1 for <http-state@ietf.org>; Fri, 04 Feb 2011 00:32:36 -0800 (PST)
Received: by 10.229.96.132 with SMTP id h4mr8281909qcn.41.1296808355908; Fri, 04 Feb 2011 00:32:35 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by mx.google.com with ESMTPS id g32sm333278qck.46.2011.02.04.00.32.34 (version=SSLv3 cipher=RC4-MD5); Fri, 04 Feb 2011 00:32:35 -0800 (PST)
Received: by vws7 with SMTP id 7so1362249vws.31 for <http-state@ietf.org>; Fri, 04 Feb 2011 00:32:33 -0800 (PST)
Received: by 10.220.185.21 with SMTP id cm21mr580919vcb.213.1296808353583; Fri, 04 Feb 2011 00:32:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.165.212 with HTTP; Fri, 4 Feb 2011 00:32:03 -0800 (PST)
In-Reply-To: <4D4BB8B6.5070009@gmx.de>
References: <20110203195457.f00013ceab8fb1928885c5c172fbfd4a.d7bc172fae.wbe@email00.secureserver.net> <AANLkTim1rSdg_JmWhEihJROmN+uZABFcPtH-Ngup0WHF@mail.gmail.com> <4D4BB8B6.5070009@gmx.de>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 4 Feb 2011 00:32:03 -0800
Message-ID: <AANLkTikQBoz1pA2Oa73AziXhyuQ7b6OCN65-pd=VyApC@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: http-state@ietf.org
Subject: Re: [http-state] Is this an omission in the parser rules of draft-ietf-httpstate-cookie-21?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Feb 2011 08:29:14 -0000

On Fri, Feb 4, 2011 at 12:28 AM, Julian Reschke <julian.reschke@gmx.de>; wrote:
> On 04.02.2011 04:12, Adam Barth wrote:
>>
>> On Thu, Feb 3, 2011 at 6:54 PM, Remy Lebeau<remy@lebeausoftware.org>;
>>  wrote:
>>>
>>> -------- Original Message --------
>>> Subject: Re: [http-state] Is this an omission in the parser rules of
>>> draft-ietf-httpstate-cookie-21?
>>> From: Adam Barth<ietf@adambarth.com>;
>>> Date: Thu, February 03, 2011 12:18 pm
>>> To: Remy Lebeau<remy@lebeausoftware.org>;
>>> Cc: http-state@ietf.org
>>>
>>>> It's not an omission.  The use of quotation mark for cookie values in
>>>> RFC 2109 do not reflect how cookie behave in actual use.
>>>
>>> Just a minute ago, while logging in to Yahoo webmail, I noticed the
>>> server issue a cookie that uses quotations, and my IE 8 webbrowser sent
>>> back 3 cookies that used quotations.  See below.  Quotes in cookies are
>>> a real-world possibility, so the draft should allow for their presence,
>>> at least for user agents that parse cookies, if not in origin servers
>>> that generate them.
>>
>> I should be more clear.  Quotation marks are not special characters in
>> cookie values.  They have no effect on how cookies are processed.  Any
>> use of quotation marks by servers is pure superstition, just like
>> using a leading "." before the value of the Domain attribute.
>
>> ...
>
> Which leaves us with two questions:
>
> 1) Should they be allowed by the grammar in Section 4?

There's some discussion earlier on this list about changing the
grammar for cookie-value to include the base64 characters.  IMHO,
that's vastly more useful than pretending like quote marks mean
anything in this context.

> 2) This is a normative change. Shouldn't there be a section that explains
> what the normative differences compared to 2109 are?

We haven't done that for any of the other "changes" since 2109.  IMHO,
we'll lead happier lives if we act as if 2109 never existed.

Adam