Re: [http-state] Cookie path and trailing "/"

Zhong Yu <zhong.j.yu@gmail.com> Tue, 02 April 2013 01:18 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3A9111E8122 for <http-state@ietfa.amsl.com>; Mon, 1 Apr 2013 18:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gd9Cd+USSJ+f for <http-state@ietfa.amsl.com>; Mon, 1 Apr 2013 18:18:56 -0700 (PDT)
Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [IPv6:2607:f8b0:4003:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id 6095D11E811F for <http-state@ietf.org>; Mon, 1 Apr 2013 18:18:56 -0700 (PDT)
Received: by mail-ob0-f180.google.com with SMTP id wo10so2317210obc.39 for <http-state@ietf.org>; Mon, 01 Apr 2013 18:18:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=nWwJSSGbfoae8u6A2vZKO18OVyj6bK3ZwHrMZF7YJfs=; b=lUgbbmKuvAYvXAhTpY/dzPjif+ap9NdJHsyleGZHsEWJpGqC44e0EGRjBSGqjQyScg YxXARHO8wIEsdljfE1XhgIUD4LTocPLbqyfVOYess2oVdwOTXezAUo/CXHNzzEIwrDiw nh+ZYuepjpe0C0eeLjo3HBXRPtTRr4m3PpSUswiI98m7q9uv30QKUfQcUpX3tYekfwrX Jhk4qYxCbj0kU5tk/s7YqEI9QYapoCiqGRb3Zd7I1mYnQygt0n+65QL9B2U0qq1o5Cz0 iJ3u88bZfBjNDPR4Iub/vvXBvw8UpQ0bLZC5TrGp7ECnap1cRW9vhAqVgMr7L1TIxy/A iNpg==
MIME-Version: 1.0
X-Received: by 10.60.170.20 with SMTP id ai20mr4932943oec.33.1364865528834; Mon, 01 Apr 2013 18:18:48 -0700 (PDT)
Received: by 10.76.22.130 with HTTP; Mon, 1 Apr 2013 18:18:48 -0700 (PDT)
In-Reply-To: <CAJE5ia8uHxD4j5x+P9tRdGxbz2OZed=1VvnEsoGrU6W=YqL3eg@mail.gmail.com>
References: <CACuKZqFvJ5avoyZ6KT_nhjF6LBm4xKH5xdGTufL_a_CTsXWYyw@mail.gmail.com> <CAJE5ia8uHxD4j5x+P9tRdGxbz2OZed=1VvnEsoGrU6W=YqL3eg@mail.gmail.com>
Date: Mon, 1 Apr 2013 20:18:48 -0500
Message-ID: <CACuKZqFayF+aZOhv3dJm2ds6YoU=Z+kDHNu2A467oHAzH2aDxQ@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: multipart/alternative; boundary=bcaec554098003325a04d95685fd
Cc: Pete Resnick <presnick@qti.qualcomm.com>, Barry Leiba <barryleiba@computer.org>, http-state <http-state@ietf.org>
Subject: Re: [http-state] Cookie path and trailing "/"
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 01:18:57 -0000

Cool, I'll file a bug to Firefox.


On Mon, Apr 1, 2013 at 8:07 PM, Adam Barth <ietf@adambarth.com>; wrote:

> On Mon, Apr 1, 2013 at 6:01 PM, Zhong Yu <zhong.j.yu@gmail.com>; wrote:
> > Hello cookie masters,
> >
> > In the follow example of an http response, two cookies are set which
> differs in the trailing slash of the Path attribute
> >
> >     HTTP/1.1 200 OK
> >     Set-Cookie: n=v1; Path=/abc
> >     Set-Cookie: n=v2; Path=/abc/
> >
> > According to RFC6265, these are two distinct cookies. And cookie#2 is
> not applicable to request-path "/abc".
> >
> > In my tests, IE and Chrome conform to these requirement. My question is,
> are these requirement as intended?
>
> Yes.
>
> > What was the reason behind?
>
> Based on our testing at the time, it was the most widely implemented
> behavior.
>
> > On Firefox the two cookies are also treated as distinct cookies; however
> Firefox erroneously sends cookie#2 for request-path "/abc". Should that be
> considered a bug?
>
> If Firefox changes its behavior to match the spec, it will be more
> interoperable with other user agents, which seems like a good thing.
>
> Adam
>