Re: [http-state] Ticket 5: Cookie ordering

Adam Barth <ietf@adambarth.com> Mon, 08 February 2010 16:20 UTC

Return-Path: <adam@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4DF4D28C132 for <http-state@core3.amsl.com>; Mon, 8 Feb 2010 08:20:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VDv+SBwn70r for <http-state@core3.amsl.com>; Mon, 8 Feb 2010 08:20:13 -0800 (PST)
Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by core3.amsl.com (Postfix) with ESMTP id 4F14A28C125 for <http-state@ietf.org>; Mon, 8 Feb 2010 08:20:13 -0800 (PST)
Received: by qw-out-2122.google.com with SMTP id 9so896952qwb.31 for <http-state@ietf.org>; Mon, 08 Feb 2010 08:21:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.142.6.24 with SMTP id 24mr2875123wff.294.1265646072537; Mon, 08 Feb 2010 08:21:12 -0800 (PST)
In-Reply-To: <op.u7tgx5y4vqd7e2@killashandra.oslo.osa>
References: <7789133a1001191410l48530adar28098a03e6de0fb1@mail.gmail.com> <op.u7mkruzjvqd7e2@killashandra.oslo.osa> <alpine.DEB.2.00.1002050932580.3094@tvnag.unkk.fr> <op.u7nnk8uyvqd7e2@killashandra.oslo.osa> <op.u7tgx5y4vqd7e2@killashandra.oslo.osa>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 8 Feb 2010 08:20:52 -0800
Message-ID: <7789133a1002080820j745eaa87uffdf6ec8f6f7939e@mail.gmail.com>
To: yngve@opera.com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Daniel Stenberg <daniel@haxx.se>, http-state <http-state@ietf.org>
Subject: Re: [http-state] Ticket 5: Cookie ordering
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2010 16:20:14 -0000

Would you be willing to share your test cases?  I'd like to add them
to the test suite.

Thanks,
Adam


On Mon, Feb 8, 2010 at 8:19 AM, Yngve Nysaeter Pettersen
<yngve@opera.com> wrote:
> On Fri, 05 Feb 2010 13:56:58 +0100, Yngve Nysaeter Pettersen
> <yngve@opera.com> wrote:
>>
>> IOW, if ordering is determined by anything but the domain and path the
>> sequence of cookie is going to vary depending on which servers the clients
>> visits and the sequence it visits them, and this might cause significant
>> problems for a server that considers ordering significant.
>
> Some testing by a couple of my colleagues setting two cookies with the same
> name (and path) "host-only" and "domain-wide" have found the following in
> browsers other than Opera:
>
> -----
> Visit order: Host-only, domain-wide
> Cookie order:  "host-only", "domain-wide"
> -----
>
> -----
> Visit order: domain-wide, Host-only
> Cookie order (IE):  "host-only", "domain-wide"
> Cookie order (Others): "domain-wide", "host-only"
> -----
>
> To me it looks like IE is sorting by domain, at the same path level, with FF
> and Safari (the two tested) sort on creation data.
>
> The consequence is that there is apparently three deployed ways to send
> cookies:
>
>   - Cookies at the same path level are grouped and sorted by creation date,
> earliest first (FF&co)
>   - Cookies at the same path level are grouped and sorted by domain, most
> specific first (IE)
>   - Cookies are grouped by domain (most specific first), then sorted by path
> (most specific first) within each domain (Opera)
>
> IMO the creation date method is less predictable than the other two, and
> will cause problems for sites depending on a specific sequence of cookies.
>
> My suggestion would be that the spec should recommend ordering an ordering
> based on on both domain and path (order of preference to be decided), as
> that will be more predictable for sites using multiple cookies with the same
> name at various domain and path levels.
>
> --
> Sincerely,
> Yngve N. Pettersen
> ********************************************************************
> Senior Developer                     Email: yngve@opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
> ********************************************************************
> _______________________________________________
> http-state mailing list
> http-state@ietf.org
> https://www.ietf.org/mailman/listinfo/http-state
>