Re: [http-state] Ticket 5: Cookie ordering

"Yngve Nysaeter Pettersen" <yngve@opera.com> Mon, 08 February 2010 16:18 UTC

Return-Path: <yngve@opera.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3653428C125 for <http-state@core3.amsl.com>; Mon, 8 Feb 2010 08:18:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.524
X-Spam-Level:
X-Spam-Status: No, score=-6.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y5CSHQ0HlkA2 for <http-state@core3.amsl.com>; Mon, 8 Feb 2010 08:18:17 -0800 (PST)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id BEFBF28C124 for <http-state@ietf.org>; Mon, 8 Feb 2010 08:18:16 -0800 (PST)
Received: from killashandra.oslo.osa (pat-tdc.opera.com [213.236.208.22]) by smtp.opera.com (8.14.3/8.14.3/Debian-5) with ESMTP id o18GFLVq002203 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 8 Feb 2010 16:15:21 GMT
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
To: "Daniel Stenberg" <daniel@haxx.se>
References: <7789133a1001191410l48530adar28098a03e6de0fb1@mail.gmail.com> <op.u7mkruzjvqd7e2@killashandra.oslo.osa> <alpine.DEB.2.00.1002050932580.3094@tvnag.unkk.fr> <op.u7nnk8uyvqd7e2@killashandra.oslo.osa>
Date: Mon, 08 Feb 2010 17:19:07 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: "Yngve Nysaeter Pettersen" <yngve@opera.com>
Organization: Opera Software
Message-ID: <op.u7tgx5y4vqd7e2@killashandra.oslo.osa>
In-Reply-To: <op.u7nnk8uyvqd7e2@killashandra.oslo.osa>
User-Agent: Opera Mail/10.10 (Win32)
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Ticket 5: Cookie ordering
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: yngve@opera.com
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2010 16:18:18 -0000

On Fri, 05 Feb 2010 13:56:58 +0100, Yngve Nysaeter Pettersen  
<yngve@opera.com> wrote:
> IOW, if ordering is determined by anything but the domain and path the  
> sequence of cookie is going to vary depending on which servers the  
> clients visits and the sequence it visits them, and this might cause  
> significant problems for a server that considers ordering significant.

Some testing by a couple of my colleagues setting two cookies with the  
same name (and path) "host-only" and "domain-wide" have found the  
following in browsers other than Opera:

-----
Visit order: Host-only, domain-wide
Cookie order:  "host-only", "domain-wide"
-----

-----
Visit order: domain-wide, Host-only
Cookie order (IE):  "host-only", "domain-wide"
Cookie order (Others): "domain-wide", "host-only"
-----

To me it looks like IE is sorting by domain, at the same path level, with  
FF and Safari (the two tested) sort on creation data.

The consequence is that there is apparently three deployed ways to send  
cookies:

    - Cookies at the same path level are grouped and sorted by creation  
date, earliest first (FF&co)
    - Cookies at the same path level are grouped and sorted by domain, most  
specific first (IE)
    - Cookies are grouped by domain (most specific first), then sorted by  
path (most specific first) within each domain (Opera)

IMO the creation date method is less predictable than the other two, and  
will cause problems for sites depending on a specific sequence of cookies.

My suggestion would be that the spec should recommend ordering an ordering  
based on on both domain and path (order of preference to be decided), as  
that will be more predictable for sites using multiple cookies with the  
same name at various domain and path levels.

-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************